Bounty Hacker

This engagement involved leveraging anonymous FTP access to obtain credential artifacts, gaining SSH access via brute force, and exploiting a misconfigured sudo permission on the tar binary to achieve full root compromise.

Reconnaissance

Port scanning revealed the following services:

FTP (vsftpd 3.0.3) with anonymous login enabled
SSH (OpenSSH 7.2p2)
HTTP (Apache 2.4.18)

Web enumeration revealed minimal content, but directory fuzzing identified an /images directory containing a file of interest (crew.jpg). Further enumeration shifted focus to FTP due to anonymous access.

Initial Access

Anonymous FTP access allowed retrieval of files including locks.txt and task.txt, which revealed a valid username: lin.

The discovered password list was used to brute force SSH access, successfully obtaining credentials for the lin user.

Privilege Escalation

After gaining access, sudo -l revealed that the user could execute /bin/tar as root without a password.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

This command leverages tar's checkpoint functionality to execute a shell, which runs with root privileges due to sudo execution.

Impact

Full system compromise was achieved. The attacker gained root-level access, allowing complete control over the system including file modification, persistence, and potential lateral movement.

Key Takeaways

Anonymous FTP can expose sensitive credential data
Weak passwords enable rapid SSH compromise
Always enumerate sudo permissions with `sudo -l`
Seemingly safe binaries like tar can be abused for root
Misconfigurations often chain into full system compromise