July 11, 2026
Brooklyn Nine Nine โ TryHackMe Writeup
By Greedoftheendless
3 min read
Hello everyone and hope your having a nice day! Today, we'll be diving deep into the TryHackMe Brooklyn Nine Nine room.
Room link is here
We have two objectives today.
- Find the user flag.
- Find the root flag.
Reconnaissance
First what we do after getting the IP address of the machine is to check what ports and services are open and running inside the machine. For that we use Nmap.
sudo nmap -sV -sC <ip>sudo nmap -sV -sC <ip>- sV shows us the services and their versions
- -sC runs NSE scrips that check what kind of enumeration or service is available for exploit
Here we found that an open ftp port(21), an open ssh port(22) and a open HTTP port(80) are open.
The website shows us a picture of B99 which we can do through stenography(which we won't do tho)
Since FTP port is open and can be used using anonymous login, we will do that.
ftp <ip>ftp <ip>
now lets see what we can find. We do "ls" to see what files are there. And we find note_to_jake.txt. Since cat is not a command available in ftp shells, we will use get command to send it to our system. Tip: when doing ls if you get a wierd message of timeout, type passive and then do ls.
Lets concatenate the file and see its content.
What we can infer from this are that one of the user of the machine is jake and that the password of the machine is weak.
Enumeration
Since the password is weak we can use brute-force tools such as hydra or john(using hydra in this case).
hydra -l <user> -P <wordlist> ssh://<ip>hydra -l <user> -P <wordlist> ssh://<ip>- l: for username
- -P: for password wordlist(use seclist or rockyou.txt)
From this we have found the username and the password.
So let us ssh inside the machine using these given credentials.
ssh <user>@<ip>ssh <user>@<ip>
Let us snoop a bit inside the system a bit. According to the note, Holt was mentioned, which means its a possibility that Holt could also be a user. When we do cd .. we can see Amy, Holt and Jake are the users. Let us enter Holt and see what we can find. We have a nano.save file and a user.txt file which has the flag for user flag.
Now we have one of our objectives completed and now need to find the root flag. For root flag we need to do a privilege escalation(which allows us to be root and gain admin level privileges)
Exploitation
Whenever privilege escalation comes into stage, the first thing we always check is what can the current us/user do using sudo. For that we can run:
sudo -lsudo -l
Here it says that we can less command(which displays content of the file) using sudo. To see what can we use using less, we have to visit GTDOBins, a site that has unix command for each and every situation related to pentesting.
Link to site is here
Here we can search for privilege escalation and search for less command.
Since typing the whole command might show errors, we can first run less /etc/profile. And then inside the shell we type !/bin/sh
Now we are root and we have to find the root file. we can do to / using
cd /cd /Here we found root.txt. We can concatenate it and find the final flag.
With this both the objectives are solved and our room is complete.
Conclusion
This room taught us the basics of scanning, enumeration, privilege escalation and brute-forcing, which are the most basic techniques that are used in most CTF's and pentesting environments. Hope you had fun solving this room! Bye-Bye ๐.