Contents

Start Page
Same drill, ssh in and get a shell, check out what our new home looks like:

$ ls -al
[email protected]:~$ ls -al
total 20
dr-x------ 2 morpheus morpheus 4096 Oct 17  2018 .
drwxr-xr-x 8 root     root     4096 May 30  2018 ..
lrwxrwxrwx 1 root     root        9 May 30  2018 .bash_history -> /dev/null
-r-x------ 1 morpheus morpheus  220 Aug 31  2015 .bash_logout
-r-x------ 1 morpheus morpheus 3771 Jun  2  2018 .bashrc
lrwxrwxrwx 1 root     root        9 Oct 17  2018 .mysql_history -> /dev/null
-r-x------ 1 morpheus morpheus  655 May 16  2017 .profile

Wait, is this the same box?!

$ ls -al /home
[email protected]:~$ ls -al /home
total 32
drwxr-xr-x  8 root      root      4096 May 30  2018 .
drwxr-xr-x 22 root      root      4096 Jul  7 01:26 ..
dr-x------  2 architect architect 4096 Oct 17  2018 architect
dr-x------  2 cypher    cypher    4096 Oct 17  2018 cypher
dr-x------  2 morpheus  morpheus  4096 Oct 17  2018 morpheus
dr-x------  2 neo       neo       4096 Oct 17  2018 neo
dr-x------  3 oracle    oracle    4096 Oct 17  2018 oracle
dr-xr-x---  2 trinity   neo       4096 Oct 17  2018 trinity
$ ls -al /
total 72
drwxr-xr-x   22 root root 4096 Jul  7 01:26 .
drwxr-xr-x   22 root root 4096 Jul  7 01:26 ..
drwxr-xr-x    2 root root 4096 May 30  2018 backup
drwxr-xr-x    2 root root 4096 May 30  2018 bin
drwxr-xr-x    2 root root 4096 Apr 12  2016 boot
drwxr-xr-x    7 root root  520 Jul  7 01:26 dev
drwxr-xr-x   72 root root 4096 Sep 30  2019 etc
drwxr-xr-x    8 root root 4096 May 30  2018 home
drwxr-xr-x   13 root root 4096 May 30  2018 lib
drwxr-xr-x    2 root root 4096 Feb 26  2018 lib64
drwxr-xr-x    2 root root 4096 Aug 25  2017 media
drwxr-xr-x    2 root root 4096 Aug 25  2017 mnt
-rw-------    1 root root    0 Dec  8  2018 nohup.out
drwxr-xr-x    2 root root 4096 Aug 25  2017 opt
dr-xr-xr-x 1509 root root    0 Jul  7 01:26 proc
drw-------    5 root root 4096 Apr 25 18:06 root
drwxr-xr-x   13 root root  440 Jul 13 23:01 run
drwxr-xr-x    2 root root 4096 May 30  2018 sbin
drwxr-xr-x    2 root root 4096 Aug 25  2017 srv
dr-xr-xr-x   13 root root    0 Apr 30 14:27 sys
drwxrwx-wt    7 root root 4096 Jul 13 23:06 tmp
drwxr-xr-x   10 root root 4096 Aug 25  2017 usr
drwxr-xr-x   12 root root 4096 May 30  2018 var

Seems that way, okay cool the series must all be on the same VM image.

Alright well, let’s see what we can read on the system

$ find / -readable | head -n 10
/home/morpheus
/home/morpheus/.bashrc
/home/morpheus/.bash_logout
/home/morpheus/.profile
/dev/pts/4
/proc/2414
/proc/2414/task
/proc/2414/task/2414
/proc/2414/task/2414/net
/proc/2414/task/2414/attr

$ find /var -readable  2>/dev/null | head -n 10
/var
/var/mail
/var/log
/var/log/wtmp.1
/var/log/wtmp
/var/run
/var/cache
/var/cache/apparmor
/var/cache/apt
/var/cache/apt/archives
# Ou do we have any mail?!
$ ls -al /var/mail
total 8
drwxrwsr-x  2 root mail 4096 Aug 25  2017 .
drwxr-xr-x 12 root root 4096 May 30  2018 ..
# Nope..

$ find /etc -readable  2>/dev/null | head -n 10
/etc
/etc/debian_version
/etc/apparmor.d
/etc/apparmor.d/cache
/etc/apparmor.d/usr.sbin.mysqld
/etc/apparmor.d/usr.sbin.rsyslogd
/etc/apparmor.d/abstractions
/etc/apparmor.d/abstractions/ubuntu-unity7-base
/etc/apparmor.d/abstractions/aspell
/etc/apparmor.d/abstractions/mysql

$ find /usr -readable  2>/dev/null | head -n 10
$ find /usr -readable  2>/dev/null | head -n 10
/usr
/usr/include
/usr/include/sudo_plugin.h
/usr/share
/usr/share/sysv-rc
/usr/share/sysv-rc/saveconfig
/usr/share/mysql
/usr/share/mysql/mysql-log-rotate
/usr/share/mysql/english
/usr/share/mysql/english/errmsg.sys

$ find /var/log -readable  2>/dev/null | head -n 10

Nothing screaming at me yet, let’s check out what’s running again:

$ ps -aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0  37228  5304 ?        Ss   Jul07   0:44 /sbin/init
root        38  0.0  0.1 166672 114536 ?       Ss   Jul07  10:24 /lib/systemd/systemd-journald
root        84  0.0  0.0  28980  2924 ?        Ss   Jul07   0:02 /usr/sbin/cron -f
syslog      86  0.0  0.0 256392  4208 ?        Ssl  Jul07   2:09 /usr/sbin/rsyslogd -n
root       156  0.0  0.0  65508  6528 ?        Ss   Jul07   2:37 /usr/sbin/sshd -D
root       159  0.0  0.0   4504  1608 ?        S    Jul07   0:10 /bin/sh /root/files/backup.sh -u trinity -p Flag-7e0cfcf090a2fe53c97ea3edd3883d0d
root       172  0.0  0.0  15752  2212 pts/2    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/2 115200 38400 9600 vt220
root       175  0.0  0.0  15752  2212 pts/0    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/0 115200 38400 9600 vt220
root       176  0.0  0.0  15752  2212 ?        Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root       177  0.0  0.0  15752  2212 pts/3    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/3 115200 38400 9600 vt220
root       179  0.0  0.0  15752  2212 pts/1    Ss+  Jul07   0:00 /sbin/agetty --noclear --keep-baud pts/1 115200 38400 9600 vt220
mysql      182  0.0  0.2 1282828 190004 ?      Ssl  Jul07   3:53 /usr/sbin/mysqld
root      2405  0.0  0.0  90488  6840 ?        SNs  23:01   0:00 sshd: morpheus [priv]
morpheus  2414  0.0  0.0  90488  3380 ?        SN   23:01   0:00 sshd: [email protected]/4
morpheus  2416  0.0  0.0  21180  3740 pts/4    SNs  23:01   0:00 -bash
root      3406  0.0  0.0   7288   640 ?        S    23:14   0:00 sleep 10
root      3413  0.0  0.0  90340  6816 ?        Ss   23:14   0:00 sshd: unknown [priv]
sshd      3416  0.0  0.0  65508  3336 ?        S    23:14   0:00 sshd: unknown [net]
root      3417  0.0  0.0  65508  6264 ?        Ss   23:14   0:00 sshd: [accepted]
sshd      3418  0.0  0.0  65508  3336 ?        S    23:14   0:00 sshd: [net]
root      3419  0.0  0.0  65508  6264 ?        Ss   23:14   0:00 sshd: [accepted]
sshd      3420  0.0  0.0  65508   724 ?        S    23:14   0:00 sshd: [net]
morpheus  3421  0.0  0.0  37364  3320 pts/4    RN+  23:14   0:00 ps -aux
root     30389  0.0  0.0  49932  3404 ?        SN   22:00   0:00 su neo -c /bin/monitor
neo      30391  0.0  0.0   4216   612 ?        SNs  22:00   0:00 /bin/monitor

Hmm, looks like a decent configured mysql service is running. Perhaps there’s a webserver I missed?

$ ls -al /var/www
total 12
drwxr-xr-x  2 root      root      4096 May 30  2018 .
drwxr-xr-x 12 root      root      4096 May 30  2018 ..
-r-xr-x--x  1 architect architect 2358 Feb 19  2019 index.php

Ahh, looks like architect is the web dev… hmm.

Are there any exploitable permissions laying around?

$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/umount
/bin/su

Nothing that seems useful to me.

What cronjobs are on the system?

$ crontab -l
-bash: /usr/bin/crontab: Permission denied
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

$ ls -al /etc/cron.daily/
total 28
drwxr-xr-x  2 root root 4096 May 30  2018 .
drwxr-xr-x 72 root root 4096 Sep 30  2019 ..
-rwxr-xr-x  1 root root 1474 Jun 19  2017 apt-compat
-rwxr-xr-x  1 root root 1597 Nov 26  2015 dpkg
-rwxr-xr-x  1 root root  372 May  6  2015 logrotate
-rwxr-xr-x  1 root root  249 Nov 12  2015 passwd
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder
$ ls -al /etc/cron.weekly
total 16
drwxr-xr-x  2 root root 4096 Feb 26  2018 .
drwxr-xr-x 72 root root 4096 Sep 30  2019 ..
-rwxr-xr-x  1 root root   86 Apr 13  2016 fstrim
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder
$ ls -al /etc/cron.monthly
total 12
drwxr-xr-x  2 root root 4096 Aug 25  2017 .
drwxr-xr-x 72 root root 4096 Sep 30  2019 ..
-rw-r--r--  1 root root  102 Apr  5  2016 .placeholder

Nothing looks overly interesting.

Let’s just search for the username?

$ cd / && grep -r "architect" 2>/dev/null | head -n 10
etc/fstab:#//TheMAtrix/phone  /media/Matrix  cifs  username=architect,password=$(base64 -d "RkxBRy0yMzJmOTliNDE3OGJkYzdmZWY3ZWIxZjBmNzg4MzFmOQ=="),iocharset=utf8,sec=ntlm  0  0
etc/group:challenger:x:1000:morpheus,trinity,architect,oracle,neo,cypher
etc/group:architect:x:1003:
etc/passwd:architect:x:1002:1003::/home/architect:/bin/bash
etc/subgid:architect:231072:65536
etc/subuid:architect:231072:65536
etc/init.d/checkroot.sh:		# fail on older kernels on sparc64/alpha architectures due
Binary file var/log/wtmp.1 matches
Binary file var/log/wtmp matches
var/backups/dpkg.status.0: It also contains the architecture-dependent parts of the standard

Oh, there we go!

$ echo "RkxBRy0yMzJmOTliNDE3OGJkYzdmZWY3ZWIxZjBmNzg4MzFmOQ==" | base64 --decode
FLAG-xxx
Directory
$ cd content && tree