TryHackMe write-up: Brooklyn Nine Nine (Second Method)


This is my 2nd write-up for TryHackMe’s Brooklyn Nine Nine Room. According to the room description, there are 2 ways to root the box. The first method was described in an earlier post. The 2nd method will be described here.


Using nmap, I saw that this box is running FTP, SSH and HTTP.

It turns out, FTP allows anonymous access.

Downloading the note, I found that one user uses a weak password.


Running hydra, I quickly find the password.

Using the cracked password, I was able to SSH to the target.

A simple find command allowed me to find the location of user.txt. Turns out I have read access to it.

Privilege Escalation

Checking for sudo privileges, I found that I could run “less” under sudo.

According to GTFOBins, “less” can be used to elevate privileges.

Running “sudo /usr/bin/less /etc/profile” opens /etc/profile inside the “less” viewer. Following the instructions from GTFOBins, I typed in the following from inside “less”:


This started “sh” as root, thus giving me elevated privileges. I was then able to view the contents of root.txt.




I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A story about deprecated Kubernetes labels and software startup failures

Relationship Chain Locks: Don’t Block the Rock!

Journey of building My First SDK!

Dealing with failure

Rust Techniques For Compiler Engineers

Every Python Coder Should Use This Tool

Make Events and APIs easier to find and use

Database Running in Docker

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I like breaking stuff.

More from Medium


Walkthrough for Hack-The-Box Lame


HackTheBox — Shibboleth Writeup