TryHackMe write-up: Brooklyn Nine Nine (Second Method)

2 min readJun 24, 2021


This is my 2nd write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. The first method was described in an earlier post. The 2nd method will be described here.


Using nmap, I saw that this box is running FTP, SSH and HTTP.

It turns out, FTP allows anonymous access.

Downloading the note, I found that one user uses a weak password.


Running hydra, I quickly find the password.

Using the cracked password, I was able to SSH to the target.

A simple find command allowed me to find the location of user.txt. Turns out I have read access to it.

Privilege Escalation

Checking for sudo privileges, I found that I could run “less” under sudo.

According to GTFOBins, “less” can be used to elevate privileges.

Running “sudo /usr/bin/less /etc/profile” opens /etc/profile inside the “less” viewer. Following the instructions from GTFOBins, I typed in the following from inside “less”:


This started “sh” as root, thus giving me elevated privileges. I was then able to view the contents of root.txt.