Even Santa has been having to adopt the “work from home” ethic in 2020. To help Santa out, Elf McSkidy and their team created a file server for The Best Festival Company (TBFC) that uses the FTP protocol. However, an attacker was able to hack this new server. Your mission, should you choose to accept it, is to understand how this hack occurred and to retrace the steps of the attacker.
Question #1: Name the directory on the FTP server that has data accessible by the “anonymous” user
I started off by logging into the FTP server as “anonymous”:
After looking at the directories, we can see that there is one that is available for the user anonymous to access, which is public:
Question #2: What script gets executed within this directory?
To find the answer to this question, I changed directories into “public” and then looked at the contents. There is a script called backup.sh located within.
Question #3: What movie did Santa have on his Christmas shopping list?
To retrieve the shopping list, I used the “get” command. It is now located on my own system for me to view.
Question #4: Re-upload this script to contain malicious data (just like we did in section 9.6. Output the contents of /root/flag.txt!
I started by grabbing that file from the ftp server in the same way.
I was then able to view the contents.
I opened it up in nano so I could start some edits.
Using a Reverse Shell Cheat Sheet, I erased everything else and added something that would give me a reverse shell.
Before I send it over though. I’m going to set up a listener using netcat. Use the same port you specified in the script.
Use Ctrl + X to close and save, then upload it to the ftp server with the “put” command. We are putting it in that same public file we have access to.
After a little bit, you will receive a connection at your listener:
From here, we just need to navigate to the flag.txt file.
Happy Hacking! ❤