TryHackMe Brooklyn99 Walkthrough.

Let’s scan the machine with rustscan for ports

rustscan -a IP

We have 3 port’s open

21 — FTP

22 — SSH

80 — HTTP

Time to get User flag

Let’s see if anonymous login is allowed in FTP.

Yes, login with anonymous is allowed. Let’s see what files are in the folder.

We find 3 usernames — Holt, Amy and Jake

It seems that Jake has a weak password, probably we can brute force and get the password?

hydra -l jake -P /path/to/rockyou.txt ssh://IP -t 50

Yes! We have the password for user jake on SSH.

Let’s login using those credentials.

We are in!!

Let’s find where is the user flag using the command : find / -name user.txt 2>dev/null

We can see it is in /home/holt.
Let’s grab it!

User flag down!!

Time to get Root flag

We can see it’s running a Ubuntu machine.

There was a recent CVE for getting root access in Ubuntu CVE-2021–3493

(If you wanna know more about this CVE check out this room)

After visiting that site, scroll down until you find a C program. Let’s copy it.

Now let’s go in the /tmp directory in the compromised machine.

Use nano text editor to save that code.

Let’s name it exploit.c

nano exploit.c

CTRL+SHIFT+V (paste the code you copied)


Press y


Let’s compile the program using gcc

gcc exploit.c -o rootshell

Let’s run the binary — ./rootshell

Let’s go in the /root directory and get the flag.

Root flag down!!

Thank You for reading my writeup hope you enjoyed it



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aksheet V

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified