TryHackMe Brooklyn99 Walkthrough.

This is a walkthrough for TryHackMe room Brooklyn Nine Nine

Let’s scan the machine with rustscan for ports

rustscan -a IP

We have 3 port’s open

21 — FTP

22 — SSH

80 — HTTP

Time to get User flag

Let’s see if anonymous login is allowed in FTP.

Yes, login with anonymous is allowed. Let’s see what files are in the folder.

We find 3 usernames — Holt, Amy and Jake

It seems that Jake has a weak password, probably we can brute force and get the password?

hydra -l jake -P /path/to/rockyou.txt ssh://IP -t 50

Yes! We have the password for user jake on SSH.

Let’s login using those credentials.

We are in!!

Let’s find where is the user flag using the command : find / -name user.txt 2>dev/null

We can see it is in /home/holt.
Let’s grab it!

User flag down!!

Time to get Root flag

We can see it’s running a Ubuntu machine.

There was a recent CVE for getting root access in Ubuntu CVE-2021–3493

(If you wanna know more about this CVE check out this room)

After visiting that site, scroll down until you find a C program. Let’s copy it.

Now let’s go in the /tmp directory in the compromised machine.

Use nano text editor to save that code.

Let’s name it exploit.c

Steps:
nano exploit.c

CTRL+SHIFT+V (paste the code you copied)

CTRL+X

Press y

ENTER

Let’s compile the program using gcc

gcc exploit.c -o rootshell

Let’s run the binary — ./rootshell

Let’s go in the /root directory and get the flag.

Root flag down!!

Thank You for reading my writeup hope you enjoyed it

--

--

--

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

UiPath Switch Activity Example

Get Started with AWS SAM and ASP.NET Core

Handling Real-World JSON Data in Elm

My story…

Java Spring Part 2: All about Bean

Octopus and DEIP: Alex Shkor explains

Alvin’s Dew Drop Daily — Issue #89

Red-black Tree, why you should be using it.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aksheet V

Aksheet V

Hi, I’m Aksheet. Interested in Cyber Security and Aviation. eJPT certified

More from Medium

Road to OSCP 11: Blocky HackTheBox

TryHackMe AoC3 - Day 2 Walkthrough —

TryHackMe CVE-2021–41773/42013 Write-up SMN666

FALL Vulnhub Walkthrough