Rooting the Brooklyn Nine Nine TryHackMe Room – My experience,
I recently completed the Brooklyn Nine Nine room on TryHackMe, and it turned out to be a really solid box that reinforces the importance of enumeration, patience, and chaining small misconfigurations to get full control of a system.
Recon & Enumeration
Firstly, I started with an Nmap scan to understand what I was dealing with. The scan revealed three open ports:
21 (FTP) with anonymous login enabled
22 (SSH)
80 (HTTP) running Apache
Seeing anonymous FTP tingled my bells immediately for entry.
FTP Access
Logging into the FTP service as anonymous worked without any issues. Inside, I found a file called note_to_jake.txt. After downloading and reading it locally, the note warned Jake about using a weak password — a clear hint that brute-forcing SSH might be viable.
Cracking SSH
Using that hint, I ran Hydra against the SSH service with the rockyou.txt wordlist. Sure enough, Jake’s password was extremely weak and easy had that in less than 2 min with valid credentials in hand, I logged in as jake via SSH.
User Flag
Once logged in, I began enumerating the system. Checking the /home directory revealed multiple users, including holt. Inside Holt’s home directory, I found and captured the user flag.
Privilege Escalation
The next step was escalating privileges. Running sudo -l showed that Jake could run /usr/bin/less as root. This was it.
By using less with sudo, I was able to access /root/root.txt and effectively gain root-level access, completing the box and grabbing the root flag.
I came to know that the room could also be solved a different way
if you guys know lmk~
This room was a great reminder that:
Enumeration is everything
Weak passwords are still a real-world problem
Small sudo misconfigurations can lead directly to root
Overall, Brooklyn Nine Nine was a fun and educational challenge
Nine-Nine. 🚓
Top comments (0)