RingZer0-91 - Sysadmin Linux Part 3
Sysadmin Linux 7 - Level 3
Neo is not alone!
Finding clues
Neo is not alone is the clue.
If we look at the processes, we can see that Neo is indeed not alone.
There’s a bunch of processes started by the user Neo.
root 28387 0.0 0.0 49656 1376 ? S Jan29 0:00 su neo -c /bin/monitor
neo 28391 0.0 0.0 3944 308 ? Ss Jan29 0:09 /bin/monitor
root 29009 0.0 0.0 49656 1388 ? S Feb14 0:00 su neo -c /bin/monitor
neo 29013 0.0 0.0 3944 308 ? Ss Feb14 0:05 /bin/monitor
root 30466 0.0 0.0 49656 1376 ? S Feb06 0:00 su neo -c /bin/monitor
neo 30470 0.0 0.0 3944 308 ? Ss Feb06 0:08 /bin/monitor
root 30502 0.0 0.0 49656 1376 ? S Jan25 0:00 su neo -c /bin/monitor
neo 30504 0.0 0.0 3944 308 ? Ss Jan25 0:09 /bin/monitor
root 31080 0.0 0.0 49656 1388 ? S Mar10 0:00 su neo -c /bin/monitor
neo 31084 0.0 0.0 3944 308 ? Ss Mar10 0:00 /bin/monitor
root 31935 0.0 0.0 49656 1388 ? S Mar01 0:00 su neo -c /bin/monitor
neo 31937 0.0 0.0 3944 308 ? Ss Mar01 0:02 /bin/monitor
root 32152 0.0 0.0 49656 1376 ? S Jan30 0:00 su neo -c /bin/monitor
neo 32156 0.0 0.0 3944 308 ? Ss Jan30 0:08 /bin/monitor
root 32391 0.0 0.0 49656 1464 ? S Mar12 0:00 su neo -c /bin/monitor
neo 32393 0.0 0.0 3944 308 ? Ss Mar12 0:00 /bin/monitor
root 32587 0.0 0.0 49656 1388 ? S Feb21 0:00 su neo -c /bin/monitor
neo 32589 0.0 0.0 3944 308 ? Ss Feb21 0:02 /bin/monitor
root 32753 0.0 0.0 49656 1388 ? T Feb15 0:00 su neo -c /bin/monitor
neo 32757 0.0 0.0 3944 308 ? Ss Feb15 0:04 /bin/monitor
That’s only a small part of it.
The question is how can we learn about a process that the same user has opened ?
strace
is the answer. We can use it on a pid that is running one of the
/bin/monitor
neo@forensics:~$ strace -p 32757
Process 32757 attached • interrupt to quit
restart_syscall(<... resuming interrupted call ...>) = 0
write(4294967295, “telnet 127.0.0.1 23\n”, 20) = -1 EBADF (Bad file descriptor)
write(4294967295, “user\n”, 5) = -1 EBADF (Bad file descriptor)
write(4294967295, “FLAG-a4UVY5HJQO5ddLc5wtBps48A3\n”, 31) = -1 EBADF (Bad file
descriptor)
write(4294967295, “get-cpuinfo\n”, 12) = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
The flag is : “FLAG-a4UVY5HJQO5ddLc5wtBps48A3”