Beyond

This page is created after successfully compromising the target system

root@gofer:~/scripts# crontab -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
* * * * * /root/scripts/mail.sh
* * * * * /root/scripts/curl.sh

The root user has two cronjobs, which was initially captured through PSPY

root@gofer:~/scripts# ll
total 16K
4.0k drwx------ 15 root root 4.0k aug  1 00:39 ..
4.0k drwxr-xr-x  2 root root 4.0k jul 27 11:57 .
4.0k -rwxr-x---  1 root root  775 jul 27 11:57 mail.sh
4.0k -rwxr-x---  1 root root  110 apr 27 00:46 curl.sh

These 2 bash scripts were running around the clock through cron

curl.sh

root@gofer:~/scripts# cat curl.sh 
#!/bin/bash
/usr/bin/curl "http://proxy.gofer.htb/?url=http://gofer.htb" --user tbuckley:ooP4dietie3o_hquaeti

This script must have been mimicking the user’s authentication behavior

mail.sh

root@gofer:~/scripts# cat mail.sh
#!/bin/bash
 
USER="jhudson"
urls=$(/usr/bin/grep -eo 'http://[^ >]+' /var/mail/$USER)
 
/usr/bin/mkdir /home/$USER/Downloads
 
for u in $URLS
do
    echo $u;
    NAME=$(basename $u|cut -d '.' -f 1)
    EXT=$(basename $u|cut -d '.' -f 2)
    RANDOMNB=$(date +%s%N)
    FILENAME="$NAME$RANDOMNB.$EXT"
    timeout 10 wget -O "/home/$USER/Downloads/$FILENAME" $u
    /usr/bin/chown $user:$USER /home/$USER/Downloads/$FILENAME
    /usr/bin/chmod 755 "/home/$USER/Downloads/$FILENAME"
    sleep 3
    /bin/su -c "cd /usr/bin; ./libreoffice -env:SingleAppInstance=false --norestore --view --headless --nologo --nolockcheck --eventtesting /home/$USER/Downloads/$FILENAME &" $USER
    sleep 3
    /usr/bin/killall oosplash
done
 
echo "" > /var/mail/$USER
rm -rf /home/$USER/Downloads/*

This script is responsible for mimicking the phishing scenario that user clicking a link attached to an email It does that by;

fetching the URLs in the mail
- root@gofer:~/scripts# /usr/bin/grep -Eo 'http://[^ >]+' /var/mail/jhudson `http://10.10.14.20:80/design.odt
slicing the URL with basename and cut
- design and odt sliced by .
appending time (date +%s%N) inbetween design and .odt
- design1690847341855577657.odt
saving it to the user’s Downloads directory
opening it up with LibreOffice
- /bin/su -c "cd /usr/bin; ./libreoffice -env:SingleAppInstance=false --norestore --view --headless --nologo --nolockcheck --eventtesting /home/$USER/Downloads/$FILENAME &" $USER
clearing the user’s inbox
wiping the user’s Downloads directory

InfoSec LAB

Explorer

Gofer_Beyond

Beyond

curl.sh

mail.sh

Interactive Graph View

Table of Contents

Backlinks