TryHackMe write-up: Brooklyn Nine Nine (First Method)

3 min readJun 24, 2021


This is my write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. However, I will only describe the first method I found. The 2nd method will be described in the next post.


Using nmap, I saw that this box is running FTP, SSH and HTTP.

Checking the webpage from my browser, I saw the following:


The webpage looked like a dead end, but when I checked the source code, I saw a clue:

Steganography? Sounds interesting…

I decided to download the file brookyn99.jpg. Running steghide looked like there is actually something hidden in the file.

However, it is password-protected.

Maybe stegcracker can crack it? Running stegcracker, I was able to extract the hidden contents.

Checking the hidden file, I found the credentials for 1 user:

Using the credentials, I was able to connect to the target via SSH.

Privilege Escalation

Checking for sudo privileges, I found that I could run nano under sudo.

According to GTFOBins, nano can be used to elevate privileges.

Running sudo /bin/nano opens up nano text editor. From inside nano, I simply followed the steps shown in GTFOBins and typed:

reset; sh 1>&0 2>&0

This then opened another sh shell with root privileges.