What’s This….?

With a new session on the DMZ server, you quickly begin post-exploitation activities. You have root level access to the server because the risottoadmin user has the following entry in the /etc/sudoers file:

risottoadmin@risotto-dmz:~$ sudo -l
Matching Defaults entries for risottoadmin on risotto-dmz:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User risottoadmin may run the following commands on risotto-dmz:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

There’s no need to escalate to the root level yet. The name of the game is low and slow threat emulation, so you keep a low profile and stay in the low privilege context for now.

You continue to enumerate for interesting files until something catches your eye:

[server] sliver (RICH_ALCOVE) > ls /home/risottoadmin

/home/risottoadmin (21 items, 69.1 KiB)
=======================================
-rw-------  .bash_history              384 B    Sun Oct 23 14:01:17 -0700 2022
-rw-r--r--  .bash_logout               220 B    Sat Oct 22 07:26:36 -0700 2022
-rw-r--r--  .bashrc                    3.7 KiB  Sat Oct 22 07:26:36 -0700 2022
drwxrwxr-x  .cache                     <dir>    Sat Oct 22 08:09:26 -0700 2022
drwx------  .config                    <dir>    Sat Oct 22 07:37:04 -0700 2022
drwx------  .gnupg                     <dir>    Sat Oct 22 07:31:09 -0700 2022
drwxr-xr-x  .local                     <dir>    Sat Oct 22 07:31:08 -0700 2022
drwx------  .mozilla                   <dir>    Sat Oct 22 08:09:26 -0700 2022
-rw-r--r--  .profile                   807 B    Sat Oct 22 07:26:36 -0700 2022
drwx------  .ssh                       <dir>    Sat Oct 22 07:36:48 -0700 2022
-rw-r--r--  .sudo_as_admin_successful  0 B      Sat Oct 22 07:31:32 -0700 2022
drwxr-xr-x  Desktop                    <dir>    Sat Oct 22 07:47:41 -0700 2022
drwxrwxr-x  docker-compose             <dir>    Sat Oct 22 08:08:38 -0700 2022
drwxr-xr-x  Documents                  <dir>    Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x  Downloads                  <dir>    Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x  Music                      <dir>    Sat Oct 22 07:31:10 -0700 2022
drwxrwxr-x  nothing_interesting        <dir>    Sat Oct 22 07:36:32 -0700 2022
drwxr-xr-x  Pictures                   <dir>    Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x  Public                     <dir>    Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x  Templates                  <dir>    Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x  Videos                     <dir>    Sat Oct 22 07:31:10 -0700 2022

You notice the nothing_interesting folder in the home directory of the risottoadmin user.

You investigate further:

[server] sliver (RICH_ALCOVE) > ls /home/risottoadmin/nothing_interesting

/home/risottoadmin/nothing_interesting (2 items, 4.2 KiB)
=========================================================
drwxrwxr-x  .DATA_DIR  <dir>  Sat Oct 22 07:36:32 -0700 2022
-rw-rw-r--  .note      190 B  Sat Oct 22 07:36:32 -0700 2022


[server] sliver (RICH_ALCOVE) > cat /home/risottoadmin/nothing_interesting/.note

Contact,

the enclosed directory is sensitive company intelligence. This should give you an advantage in the upcoming quarters ;)

Expect an email from my protonmail address soon.

-moleman

No one else on your team is currently aware of this.

What do you do?

Choices

Report this to the trusted agent. This is serious and we could be held liable if we don’t report after observing fraudulent activity.

Ignore this and keep moving. We have enough plausible deniability to say we didn’t see anything.

Download the stolen data and use this information for our own purposes.