Alright, let’s get rolling here. I’m not alone eh… let’s look at what’s running again.
$ ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 37228 5304 ? Ss Jul07 0:45 /sbin/init
root 38 0.0 0.0 52032 15412 ? Ss Jul07 10:31 /lib/systemd/systemd-journald
root 84 0.0 0.0 28980 2924 ? Ss Jul07 0:02 /usr/sbin/cron -f
syslog 86 0.0 0.0 256392 4208 ? Ssl Jul07 2:11 /usr/sbin/rsyslogd -n
root 156 0.0 0.0 65508 6528 ? Ss Jul07 2:39 /usr/sbin/sshd -D
root 159 0.0 0.0 4504 1608 ? S Jul07 0:10 /bin/sh /root/files/backup.sh -u trinity -p Flag-7e0cfcf090a2fe53c97ea3edd3883d0d
root 172 0.0 0.0 15752 2212 pts/2 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/2 115200 38400 9600 vt220
root 175 0.0 0.0 15752 2212 pts/0 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/0 115200 38400 9600 vt220
root 176 0.0 0.0 15752 2212 ? Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud console 115200 38400 9600 vt220
root 177 0.0 0.0 15752 2212 pts/3 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/3 115200 38400 9600 vt220
root 179 0.0 0.0 15752 2212 pts/1 Ss+ Jul07 0:00 /sbin/agetty --noclear --keep-baud pts/1 115200 38400 9600 vt220
mysql 182 0.0 0.2 1282828 190004 ? Ssl Jul07 3:56 /usr/sbin/mysqld
root 10146 0.0 0.0 90488 6840 ? SNs 00:30 0:00 sshd: morpheus [priv]
morpheus 10157 0.0 0.0 90488 4292 ? SN 00:31 0:00 sshd: morpheus@pts/4
morpheus 10158 0.0 0.0 21180 3736 pts/4 SNs 00:31 0:00 -bash
root 10181 0.0 0.0 49932 3416 pts/4 SN 00:31 0:00 su trinity
trinity 10185 0.0 0.0 21180 3740 pts/4 SN 00:31 0:00 bash
root 12416 0.0 0.0 49932 3416 pts/4 SN 00:58 0:00 su neo
neo 12420 0.0 0.0 21172 3516 pts/4 SN 00:58 0:00 bash
root 12439 0.0 0.0 7288 640 ? S 00:59 0:00 sleep 10
root 12446 0.0 0.0 65508 6264 ? Ss 00:59 0:00 sshd: [accepted]
root 12447 0.0 0.0 90340 6816 ? Ss 00:59 0:00 sshd: unknown [priv]
sshd 12448 0.0 0.0 65508 3336 ? S 00:59 0:00 sshd: [net]
sshd 12449 0.0 0.0 65508 3336 ? S 00:59 0:00 sshd: unknown [net]
root 12450 0.0 0.0 65508 6264 ? Ss 00:59 0:00 sshd: [accepted]
sshd 12451 0.0 0.0 65508 3336 ? S 00:59 0:00 sshd: [net]
neo 12452 0.0 0.0 37364 3320 pts/4 RN+ 00:59 0:00 ps -aux
root 30389 0.0 0.0 49932 3404 ? SN Jul13 0:00 su neo -c /bin/monitor
neo 30391 0.0 0.0 4216 612 ? SNs Jul13 0:00 /bin/monitor
I guess that elevated monitor service is pretty suspect…
Let’s inspect it shall we? Can we strace?
$ strace
strace: must have PROG [ARGS] or -p PID
Try 'strace -h' for more information.
$ strace
$ strace 30391
strace: Can't stat '30391': No such file or directory
neo@lxc-sysadmin:/home/trinity$ strace -p 30391
strace: Process 30391 attached
restart_syscall(<... resuming interrupted nanosleep ...>) = 0
write(-1, "telnet 127.0.0.1 23\n", 20) = -1 EBADF (Bad file descriptor)
write(-1, "user\n", 5) = -1 EBADF (Bad file descriptor)
write(-1, "FLAG-xxxx\n", 31) = -1 EBADF (Bad file descriptor)
write(-1, "get-cpuinfo\n", 12) = -1 EBADF (Bad file descriptor)
nanosleep({10, 0},
Oh shit that was too easy!!
$ cd content && tree
.
|____2022
| |____November
| | |____home_lab_6
| | |____proxmox_route_single_interface_through_vpn
| | |____proxmox_route_single_interface_through_vpn
| | |____proxmox_update_networking
| | |____blue_team_2
| | |____blue_team_1
| | |____hackthebox_redpanda
| | |____tryhackme_neighbour
| | |____post_exploitation_journey_2
| | |____post_exploitation_journey_1
| | |____try_hack_me_vulnnetendgame
| | |____try_hack_me_corridor
| | |____try_hack_me_surfer
| | |____try_hack_me_epoch
| | |____try_hack_me_template
| | |____modern_image_format_conversion
| |____October
| |____September
| |____February
| | |____perfect_opsec_anon_accounts
| | |____perfect_opsec_pgp
| | |____perfect_opsec_anon_payment
| | |____perfect_opsec_disk_encryption
| | |____perfect_opsec_hardware_spoofing
| | |____perfect_opsec_vpn_vps_and_tor
| | |____perfect_opsec_tor_browser
| | |____perfect_opsec_source_network
| | |____perfect_opsec_os_install
| | |____perfect_opsec_mitigate_author_profiling
| | |____perfect_opsec_hardware
| | |____perfect_opsec_clearnet_browser
| | |____perfect_opsec_basic_os_config
|____2021
| |____May
| |____April
| |____February
|____2020
| |____December
| |____January
| |____August
| |____July
| | |____playbook
| | |____kioptrix_level_5
| | |____kioptrix_level_4
| | |____kioptrix_level_3
| | |____kioptrix_level_2
| | |____kioptrix_level_1
| | |____ringzer0team_sysadmin_linux_8
| | |____ringzer0team_sysadmin_linux_7
| | |____ringzer0team_sysadmin_linux_6
| | |____ringzer0team_sysadmin_linux_5
| | |____ringzer0team_sysadmin_linux_4
| | |____ringzer0team_sysadmin_linux_3
| | |____ringzer0team_sysadmin_linux_2
| | |____ringzer0team_sysadmin_linux_1
| | |____planning_phase_0
| | |____blog_creation