[{"data":1,"prerenderedAt":191},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-brooklynninenine-writeup":3,"surround-\u002F2025\u002Ftryhackme-brooklynninenine-writeup":182},{"_path":4,"_dir":5,"_draft":6,"_partial":7,"_locale":8,"title":9,"description":10,"date":11,"updated":11,"image":12,"categories":13,"draft":6,"readingTime":15,"body":20,"_type":175,"_id":176,"_source":177,"_file":178,"_stem":179,"_extension":180,"_original_dir":181},"\u002F2025\u002Ftryhackme-brooklynninenine-writeup","2025","fasle",false,"","TryHackMe - Brooklyn Nine Nine","A step-by-step solution guide for the TryHackMe Brooklyn Nine-Nine room. In this article, discover how to gain initial access by finding a user clue on an anonymous FTP server to brute-force an SSH password, and how to gain root privileges by exploiting a misconfigured sudo policy.","2025-08-25T08:28:54.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002Fthumbnail.jpg",[14],"CTF",{"text":16,"minutes":17,"time":18,"words":19},"1 min read",0.36,21600,72,{"type":21,"children":22,"toc":168},"root",[23,29,45,52,56,73,77,81,87,100,104,115,119,125,155,160,164],{"type":24,"tag":25,"props":26,"children":28},"element","pic",{"src":27},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F1.jpg",[],{"type":24,"tag":30,"props":31,"children":32},"p",{},[33,36],{"type":34,"value":35},"text","Target IP: ",{"type":24,"tag":37,"props":38,"children":42},"a",{"href":39,"rel":40},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fbrooklynninenine",[41],"nofollow",[43],{"type":34,"value":44},"10.10.118.212",{"type":24,"tag":46,"props":47,"children":49},"h2",{"id":48},"reconnaissance",[50],{"type":34,"value":51},"Reconnaissance",{"type":24,"tag":25,"props":53,"children":55},{"src":54},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F2.jpg",[],{"type":24,"tag":30,"props":57,"children":58},{},[59,61,71],{"type":34,"value":60},"We have an FTP service that allows ",{"type":24,"tag":62,"props":63,"children":68},"code",{"className":64,"id":66,"style":67},[65],"example-info","just-like-this","color: #4DFFBE",[69],{"type":34,"value":70},"anonymous",{"type":34,"value":72}," access.",{"type":24,"tag":25,"props":74,"children":76},{"src":75},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F3.jpg",[],{"type":24,"tag":25,"props":78,"children":80},{"src":79},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F4.jpg",[],{"type":24,"tag":46,"props":82,"children":84},{"id":83},"initial-access",[85],{"type":34,"value":86},"Initial Access",{"type":24,"tag":30,"props":88,"children":89},{},[90,92,98],{"type":34,"value":91},"Here we learn the name ",{"type":24,"tag":62,"props":93,"children":95},{"className":94,"id":66,"style":67},[65],[96],{"type":34,"value":97},"jake",{"type":34,"value":99}," and that its password is weak. Let's perform a brute force attack using \"hydra\".",{"type":24,"tag":25,"props":101,"children":103},{"src":102},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F5.jpg",[],{"type":24,"tag":30,"props":105,"children":106},{},[107,109],{"type":34,"value":108},"Let's log in via SSH using the information we obtained here. ",{"type":24,"tag":62,"props":110,"children":112},{"className":111,"id":66,"style":67},[65],[113],{"type":34,"value":114},"james:987654321",{"type":24,"tag":25,"props":116,"children":118},{"src":117},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F6.jpg",[],{"type":24,"tag":46,"props":120,"children":122},{"id":121},"privilege-escalation",[123],{"type":34,"value":124},"Privilege Escalation",{"type":24,"tag":30,"props":126,"children":127},{},[128,130,136,138,144,146,153],{"type":34,"value":129},"A simple investigation revealed that the user ",{"type":24,"tag":62,"props":131,"children":133},{"className":132},[],[134],{"type":34,"value":135},"james",{"type":34,"value":137}," was able to run the ",{"type":24,"tag":62,"props":139,"children":141},{"className":140},[],[142],{"type":34,"value":143},"\u002Fusr\u002Fbin\u002Fless",{"type":34,"value":145}," binary with sudo privileges without a password. We can find the commands required to elevate privileges on the ",{"type":24,"tag":37,"props":147,"children":150},{"href":148,"rel":149},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fless\u002F",[41],[151],{"type":34,"value":152},"GFTObins",{"type":34,"value":154}," website.",{"type":24,"tag":156,"props":157,"children":159},"copy",{"code":158},"sudo less \u002Fetc\u002Fprofile\n!\u002Fbin\u002Fsh",[],{"type":24,"tag":25,"props":161,"children":163},{"src":162},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F8.jpg",[],{"type":24,"tag":25,"props":165,"children":167},{"src":166},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-brooklynninenine-writeup\u002F7.jpg",[],{"title":8,"searchDepth":169,"depth":169,"links":170},4,[171,173,174],{"id":48,"depth":172,"text":51},2,{"id":83,"depth":172,"text":86},{"id":121,"depth":172,"text":124},"markdown","content:posts:2025:tryhackme-brooklynninenine-writeup.md","content","posts\u002F2025\u002Ftryhackme-brooklynninenine-writeup.md","posts\u002F2025\u002Ftryhackme-brooklynninenine-writeup","md","\u002Fposts",[183,187],{"_path":184,"title":185,"date":186},"\u002F2025\u002Ftryhackme-startup-writeup","TryHackMe - Startup","2025-08-25T05:33:27.000Z",{"_path":188,"title":189,"date":190},"\u002F2025\u002Ftryhackme-ignite-writeup","TryHackMe - Ignite","2025-08-25T14:27:41.000Z",1777022959103]