Sysadmin Linux 7 - Level 3

Neo is not alone!

Finding clues

Neo is not alone is the clue.
If we look at the processes, we can see that Neo is indeed not alone.
There’s a bunch of processes started by the user Neo.

root     28387  0.0  0.0  49656  1376 ?        S    Jan29   0:00 su neo -c /bin/monitor
neo      28391  0.0  0.0   3944   308 ?        Ss   Jan29   0:09 /bin/monitor
root     29009  0.0  0.0  49656  1388 ?        S    Feb14   0:00 su neo -c /bin/monitor
neo      29013  0.0  0.0   3944   308 ?        Ss   Feb14   0:05 /bin/monitor
root     30466  0.0  0.0  49656  1376 ?        S    Feb06   0:00 su neo -c /bin/monitor
neo      30470  0.0  0.0   3944   308 ?        Ss   Feb06   0:08 /bin/monitor
root     30502  0.0  0.0  49656  1376 ?        S    Jan25   0:00 su neo -c /bin/monitor
neo      30504  0.0  0.0   3944   308 ?        Ss   Jan25   0:09 /bin/monitor
root     31080  0.0  0.0  49656  1388 ?        S    Mar10   0:00 su neo -c /bin/monitor
neo      31084  0.0  0.0   3944   308 ?        Ss   Mar10   0:00 /bin/monitor
root     31935  0.0  0.0  49656  1388 ?        S    Mar01   0:00 su neo -c /bin/monitor
neo      31937  0.0  0.0   3944   308 ?        Ss   Mar01   0:02 /bin/monitor
root     32152  0.0  0.0  49656  1376 ?        S    Jan30   0:00 su neo -c /bin/monitor
neo      32156  0.0  0.0   3944   308 ?        Ss   Jan30   0:08 /bin/monitor
root     32391  0.0  0.0  49656  1464 ?        S    Mar12   0:00 su neo -c /bin/monitor
neo      32393  0.0  0.0   3944   308 ?        Ss   Mar12   0:00 /bin/monitor
root     32587  0.0  0.0  49656  1388 ?        S    Feb21   0:00 su neo -c /bin/monitor
neo      32589  0.0  0.0   3944   308 ?        Ss   Feb21   0:02 /bin/monitor
root     32753  0.0  0.0  49656  1388 ?        T    Feb15   0:00 su neo -c /bin/monitor
neo      32757  0.0  0.0   3944   308 ?        Ss   Feb15   0:04 /bin/monitor

That’s only a small part of it.

The question is how can we learn about a process that the same user has opened ?
strace is the answer. We can use it on a pid that is running one of the /bin/monitor

neo@forensics:~$ strace -p 32757
Process 32757 attached • interrupt to quit
restart_syscall(<... resuming interrupted call ...>) = 0
write(4294967295, “telnet 127.0.0.1 23\n”, 20) = -1 EBADF (Bad file descriptor)
write(4294967295, “user\n”, 5)          = -1 EBADF (Bad file descriptor)
write(4294967295, “FLAG-a4UVY5HJQO5ddLc5wtBps48A3\n”, 31) = -1 EBADF (Bad file
descriptor)
write(4294967295, “get-cpuinfo\n”, 12)  = -1 EBADF (Bad file descriptor)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

The flag is : “FLAG-a4UVY5HJQO5ddLc5wtBps48A3”