TryHackMe write-up: Brooklyn Nine Nine (Second Method)

Introduction

This is my 2nd write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. The first method was described in an earlier post. The 2nd method will be described here.

Enumeration

Using nmap, I saw that this box is running FTP, SSH and HTTP.

It turns out, FTP allows anonymous access.

Downloading the note, I found that one user uses a weak password.

Exploitation

Running hydra, I quickly find the password.

Using the cracked password, I was able to SSH to the target.

A simple find command allowed me to find the location of user.txt. Turns out I have read access to it.

Privilege Escalation

Checking for sudo privileges, I found that I could run “less” under sudo.

According to GTFOBins, “less” can be used to elevate privileges.

Running “sudo /usr/bin/less /etc/profile” opens /etc/profile inside the “less” viewer. Following the instructions from GTFOBins, I typed in the following from inside “less”:

!/bin/sh

This started “sh” as root, thus giving me elevated privileges. I was then able to view the contents of root.txt.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store