Brooklyn Nine-Nine

This engagement involved assessing a Linux-based target exposing FTP, SSH, and HTTP services. Initial enumeration revealed anonymous FTP access and a web application containing hidden clues, leading to credential discovery and full system compromise.

Reconnaissance

Port scanning revealed the following services:

FTP (vsftpd 3.0.3) with anonymous login enabled
SSH (OpenSSH 7.6p1)
HTTP (Apache 2.4.29)

The web server contained an image with hidden clues, suggesting steganography as a potential attack vector.

Initial Findings

Analysis of the web application revealed a hidden message within an image using steganography. Extracting the data exposed credentials for a valid user.

User: holt
Password: fluffydog12@ninenine

FTP access also revealed a note referencing weak password practices, indicating additional attack opportunities.

Key Finding: Credential Exposure via Steganography

Sensitive credentials were embedded within a publicly accessible image. This allowed attackers to extract authentication details using common steganography tools.

Combined with weak password practices, this created a direct path to system access.

Exploitation

SSH access was obtained using the extracted credentials. Additional user credentials were brute-forced due to weak password policies.

Privilege escalation was achieved through a misconfigured sudo permission allowing execution of nano. By leveraging nano’s command execution feature, a root shell was obtained.

sudo nano ^R^X reset; sh 1>&0 2>&0

Key Takeaways

Sensitive data should never be embedded in publicly accessible files
Steganography can introduce hidden attack vectors if misused
Weak passwords significantly increase risk of compromise
Misconfigured sudo permissions can lead to full privilege escalation
Multi-vector enumeration is critical for successful exploitation