Same drill, ssh in and get a shell, check out what our new home looks like:
$ ls -al
morpheus@lxc-sysadmin:~$ ls -al
total 20
dr-x------ 2 morpheus morpheus 4096 Oct 17 2018 .
drwxr-xr-x 8 root root 4096 May 30 2018 ..
lrwxrwxrwx 1 root root 9 May 30 2018 .bash_history -> /dev/null
-r-x------ 1 morpheus morpheus 220 Aug 31 2015 .bash_logout
-r-x------ 1 morpheus morpheus 3771 Jun 2 2018 .bashrc
lrwxrwxrwx 1 root root 9 Oct 17 2018 .mysql_history -> /dev/null
-r-x------ 1 morpheus morpheus 655 May 16 2017 .profile
Wait, is this the same box?!
$ ls -al /home
morpheus@lxc-sysadmin:~$ ls -al /home
total 32
drwxr-xr-x 8 root root 4096 May 30 2018 .
drwxr-xr-x 22 root root 4096 Jul 7 01:26 ..
dr-x------ 2 architect architect 4096 Oct 17 2018 architect
dr-x------ 2 cypher cypher 4096 Oct 17 2018 cypher
dr-x------ 2 morpheus morpheus 4096 Oct 17 2018 morpheus
dr-x------ 2 neo neo 4096 Oct 17 2018 neo
dr-x------ 3 oracle oracle 4096 Oct 17 2018 oracle
dr-xr-x--- 2 trinity neo 4096 Oct 17 2018 trinity
$ ls -al /
total 72
drwxr-xr-x 22 root root 4096 Jul 7 01:26 .
drwxr-xr-x 22 root root 4096 Jul 7 01:26 ..
drwxr-xr-x 2 root root 4096 May 30 2018 backup
drwxr-xr-x 2 root root 4096 May 30 2018 bin
drwxr-xr-x 2 root root 4096 Apr 12 2016 boot
drwxr-xr-x 7 root root 520 Jul 7 01:26 dev
drwxr-xr-x 72 root root 4096 Sep 30 2019 etc
drwxr-xr-x 8 root root 4096 May 30 2018 home
drwxr-xr-x 13 root root 4096 May 30 2018 lib
drwxr-xr-x 2 root root 4096 Feb 26 2018 lib64
drwxr-xr-x 2 root root 4096 Aug 25 2017 media
drwxr-xr-x 2 root root 4096 Aug 25 2017 mnt
-rw------- 1 root root 0 Dec 8 2018 nohup.out
drwxr-xr-x 2 root root 4096 Aug 25 2017 opt
dr-xr-xr-x 1509 root root 0 Jul 7 01:26 proc
drw------- 5 root root 4096 Apr 25 18:06 root
drwxr-xr-x 13 root root 440 Jul 13 23:01 run
drwxr-xr-x 2 root root 4096 May 30 2018 sbin
drwxr-xr-x 2 root root 4096 Aug 25 2017 srv
dr-xr-xr-x 13 root root 0 Apr 30 14:27 sys
drwxrwx-wt 7 root root 4096 Jul 13 23:06 tmp
drwxr-xr-x 10 root root 4096 Aug 25 2017 usr
drwxr-xr-x 12 root root 4096 May 30 2018 var
Seems that way, okay cool the series must all be on the same VM image. Alright well, let's see what we can read on the system
$ find / -readable | head -n 10
/home/morpheus
/home/morpheus/.bashrc
/home/morpheus/.bash_logout
/home/morpheus/.profile
/dev/pts/4
/proc/2414
/proc/2414/task
/proc/2414/task/2414
/proc/2414/task/2414/net
/proc/2414/task/2414/attr
$ find /var -readable 2>/dev/null | head -n 10
/var
/var/mail
/var/log
/var/log/wtmp.1
/var/log/wtmp
/var/run
/var/cache
/var/cache/apparmor
/var/cache/apt
/var/cache/apt/archives
# Ou do we have any mail?!
$ ls -al /var/mail
total 8
drwxrwsr-x 2 root mail 4096 Aug 25 2017 .
drwxr-xr-x 12 root root 4096 May 30 2018 ..
# Nope..
$ find /etc -readable 2>/dev/null | head -n 10
/etc
/etc/debian_version
/etc/apparmor.d
/etc/apparmor.d/cache
/etc/apparmor.d/usr.sbin.mysqld
/etc/apparmor.d/usr.sbin.rsyslogd
/etc/apparmor.d/abstractions
/etc/apparmor.d/abstractions/ubuntu-unity7-base
/etc/apparmor.d/abstractions/aspell
/etc/apparmor.d/abstractions/mysql
$ find /usr -readable 2>/dev/null | head -n 10
$ find /usr -readable 2>/dev/null | head -n 10
/usr
/usr/include
/usr/include/sudo_plugin.h
/usr/share
/usr/share/sysv-rc
/usr/share/sysv-rc/saveconfig
/usr/share/mysql
/usr/share/mysql/mysql-log-rotate
/usr/share/mysql/english
/usr/share/mysql/english/errmsg.sys
$ find /var/log -readable 2>/dev/null | head -n 10
Nothing screaming at me yet, let's check out what's running again:
$ ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 37228 5304 ? Ss Jul07 0:44 /sbin/init
root 38 0.0 0.1 166672 114536 ? Ss Jul07 10:24 /lib/systemd/systemd-journald
root 84 0.0 0.0 28980 2924 ? Ss Jul07 0:02 /usr/sbin/cron -f
syslog 86 0.0 0.0 256392 4208 ? Ssl Jul07 2:09 /usr/sbin/rsyslogd -n
root 156 0.0 0.0 65508 6528 ? Ss Jul07 2:37 /usr/sbin/sshd -D
root 159 0.0 0.0 4504 1608 ? S Jul07 0:10 /bin/sh /root/files/backup.sh -u trinity -p Flag-7e0cfcf090a2fe53c97ea3edd3883d0d
root 172 0.0 0.0 15752 2212 pts/2 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/2 115200 38400 9600 vt220
root 175 0.0 0.0 15752 2212 pts/0 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/0 115200 38400 9600 vt220
root 176 0.0 0.0 15752 2212 ? Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root 177 0.0 0.0 15752 2212 pts/3 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/3 115200 38400 9600 vt220
root 179 0.0 0.0 15752 2212 pts/1 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/1 115200 38400 9600 vt220
mysql 182 0.0 0.2 1282828 190004 ? Ssl Jul07 3:53 /usr/sbin/mysqld
root 2405 0.0 0.0 90488 6840 ? SNs 23:01 0:00 sshd: morpheus [priv]
morpheus 2414 0.0 0.0 90488 3380 ? SN 23:01 0:00 sshd: morpheus@pts/4
morpheus 2416 0.0 0.0 21180 3740 pts/4 SNs 23:01 0:00 -bash
root 3406 0.0 0.0 7288 640 ? S 23:14 0:00 sleep 10
root 3413 0.0 0.0 90340 6816 ? Ss 23:14 0:00 sshd: unknown [priv]
sshd 3416 0.0 0.0 65508 3336 ? S 23:14 0:00 sshd: unknown [net]
root 3417 0.0 0.0 65508 6264 ? Ss 23:14 0:00 sshd: [accepted]
sshd 3418 0.0 0.0 65508 3336 ? S 23:14 0:00 sshd: [net]
root 3419 0.0 0.0 65508 6264 ? Ss 23:14 0:00 sshd: [accepted]
sshd 3420 0.0 0.0 65508 724 ? S 23:14 0:00 sshd: [net]
morpheus 3421 0.0 0.0 37364 3320 pts/4 RN+ 23:14 0:00 ps -aux
root 30389 0.0 0.0 49932 3404 ? SN 22:00 0:00 su neo -c /bin/monitor
neo 30391 0.0 0.0 4216 612 ? SNs 22:00 0:00 /bin/monitor
Hmm, looks like a decent configured mysql service is running. Perhaps there's a webserver I missed?
$ ls -al /var/www
total 12
drwxr-xr-x 2 root root 4096 May 30 2018 .
drwxr-xr-x 12 root root 4096 May 30 2018 ..
-r-xr-x--x 1 architect architect 2358 Feb 19 2019 index.php
Ahh, looks like architect is the web dev... hmm.
Are there any exploitable permissions laying around?
$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/umount
/bin/su
Nothing that seems useful to me. What cronjobs are on the system?
$ crontab -l
-bash: /usr/bin/crontab: Permission denied
$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
$ ls -al /etc/cron.daily/
total 28
drwxr-xr-x 2 root root 4096 May 30 2018 .
drwxr-xr-x 72 root root 4096 Sep 30 2019 ..
-rwxr-xr-x 1 root root 1474 Jun 19 2017 apt-compat
-rwxr-xr-x 1 root root 1597 Nov 26 2015 dpkg
-rwxr-xr-x 1 root root 372 May 6 2015 logrotate
-rwxr-xr-x 1 root root 249 Nov 12 2015 passwd
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
$ ls -al /etc/cron.weekly
total 16
drwxr-xr-x 2 root root 4096 Feb 26 2018 .
drwxr-xr-x 72 root root 4096 Sep 30 2019 ..
-rwxr-xr-x 1 root root 86 Apr 13 2016 fstrim
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
$ ls -al /etc/cron.monthly
total 12
drwxr-xr-x 2 root root 4096 Aug 25 2017 .
drwxr-xr-x 72 root root 4096 Sep 30 2019 ..
-rw-r--r-- 1 root root 102 Apr 5 2016 .placeholder
Nothing looks overly interesting. Let's just search for the username?
$ cd / && grep -r "architect" 2>/dev/null | head -n 10
etc/fstab:#//TheMAtrix/phone /media/Matrix cifs username=architect,password=$(base64 -d "RkxBRy0yMzJmOTliNDE3OGJkYzdmZWY3ZWIxZjBmNzg4MzFmOQ=="),iocharset=utf8,sec=ntlm 0 0
etc/group:challenger:x:1000:morpheus,trinity,architect,oracle,neo,cypher
etc/group:architect:x:1003:
etc/passwd:architect:x:1002:1003::/home/architect:/bin/bash
etc/subgid:architect:231072:65536
etc/subuid:architect:231072:65536
etc/init.d/checkroot.sh: # fail on older kernels on sparc64/alpha architectures due
Binary file var/log/wtmp.1 matches
Binary file var/log/wtmp matches
var/backups/dpkg.status.0: It also contains the architecture-dependent parts of the standard
Oh, there we go!
$ echo "RkxBRy0yMzJmOTliNDE3OGJkYzdmZWY3ZWIxZjBmNzg4MzFmOQ==" | base64 --decode
FLAG-xxx
