With a new session on the DMZ server, you quickly begin post-exploitation activities. You have root level access to the server because the risottoadmin user has the following entry in the /etc/sudoers
file:
risottoadmin@risotto-dmz:~$ sudo -l
Matching Defaults entries for risottoadmin on risotto-dmz:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User risottoadmin may run the following commands on risotto-dmz:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
There’s no need to escalate to the root level yet. The name of the game is low and slow threat emulation, so you keep a low profile and stay in the low privilege context for now.
You continue to enumerate for interesting files until something catches your eye:
[server] sliver (RICH_ALCOVE) > ls /home/risottoadmin
/home/risottoadmin (21 items, 69.1 KiB)
=======================================
-rw------- .bash_history 384 B Sun Oct 23 14:01:17 -0700 2022
-rw-r--r-- .bash_logout 220 B Sat Oct 22 07:26:36 -0700 2022
-rw-r--r-- .bashrc 3.7 KiB Sat Oct 22 07:26:36 -0700 2022
drwxrwxr-x .cache <dir> Sat Oct 22 08:09:26 -0700 2022
drwx------ .config <dir> Sat Oct 22 07:37:04 -0700 2022
drwx------ .gnupg <dir> Sat Oct 22 07:31:09 -0700 2022
drwxr-xr-x .local <dir> Sat Oct 22 07:31:08 -0700 2022
drwx------ .mozilla <dir> Sat Oct 22 08:09:26 -0700 2022
-rw-r--r-- .profile 807 B Sat Oct 22 07:26:36 -0700 2022
drwx------ .ssh <dir> Sat Oct 22 07:36:48 -0700 2022
-rw-r--r-- .sudo_as_admin_successful 0 B Sat Oct 22 07:31:32 -0700 2022
drwxr-xr-x Desktop <dir> Sat Oct 22 07:47:41 -0700 2022
drwxrwxr-x docker-compose <dir> Sat Oct 22 08:08:38 -0700 2022
drwxr-xr-x Documents <dir> Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x Downloads <dir> Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x Music <dir> Sat Oct 22 07:31:10 -0700 2022
drwxrwxr-x nothing_interesting <dir> Sat Oct 22 07:36:32 -0700 2022
drwxr-xr-x Pictures <dir> Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x Public <dir> Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x Templates <dir> Sat Oct 22 07:31:10 -0700 2022
drwxr-xr-x Videos <dir> Sat Oct 22 07:31:10 -0700 2022
You notice the nothing_interesting
folder in the home directory of the risottoadmin user.
You investigate further:
[server] sliver (RICH_ALCOVE) > ls /home/risottoadmin/nothing_interesting
/home/risottoadmin/nothing_interesting (2 items, 4.2 KiB)
=========================================================
drwxrwxr-x .DATA_DIR <dir> Sat Oct 22 07:36:32 -0700 2022
-rw-rw-r-- .note 190 B Sat Oct 22 07:36:32 -0700 2022
[server] sliver (RICH_ALCOVE) > cat /home/risottoadmin/nothing_interesting/.note
Contact,
the enclosed directory is sensitive company intelligence. This should give you an advantage in the upcoming quarters ;)
Expect an email from my protonmail address soon.
-moleman
No one else on your team is currently aware of this.
What do you do?