InfoSec LAB

backup

sunny@sunday:/$ ll
total 1858
 938 dr-xr-xr-x  82 root     root        469k jan 21 15:41 proc
   8 drwxrwxrwt   3 root     sys          276 jan 21 15:41 tmp
  11 drwxr-xr-x  81 root     sys          173 jan 21 15:28 etc
   1 dr-xr-xr-x   1 root     root           1 jan 21 12:56 nfs4
   1 dr-xr-xr-x   1 root     root           1 jan 21 12:56 net
   3 drwxr-xr-x   2 root     root           3 jan 21 12:56 media
  21 drwxr-xr-x  25 root     sys           28 jan 21 12:56 .
  21 drwxr-xr-x  25 root     sys           28 jan 21 12:56 ..
  11 drwxr-xr-x 219 root     sys          219 jan 21 12:56 dev
   3 drwxr-xr-x   4 root     sys            5 jan 21 12:56 devices
   3 drwx------   2 root     root          10 Apr 13  2022 root
   3 drwxr-xr-x   2 root     root           4 Dec 19  2021 backup
   3 dr-xr-xr-x   4 root     root           4 Dec 19  2021 home
   3 drwxr-xr-x   2 root     root           4 Dec 19  2021 cdrom
   5 drwxr-xr-x  42 root     sys           51 Dec  8  2021 var
   3 drwxr-xr-x   7 root     root           7 Dec  8  2021 system
   3 drwxr-xr-x   3 root     sys            3 Dec  8  2021 export
   3 drwxr-xr-x   3 root     root           3 Dec  8  2021 rpool
   1 lrwxrwxrwx   1 root     root           9 Dec  8  2021 bin -> ./usr/bin
   1 lrwxrwxrwx   1 root     root          10 Dec  8  2021 sbin -> ./usr/sbin
   3 drwxr-xr-x   5 root     sys            9 Dec  8  2021 boot
   5 drwxr-xr-x  29 root     sys           41 Dec  8  2021 usr
   3 drwxr-xr-x  21 root     sys           21 Dec  8  2021 kernel
  19 drwxr-xr-x  11 root     bin          342 Dec  8  2021 lib
 773 -r--r--r--   1 root     root        292K Aug 17  2018 zvboot
   3 drwxr-xr-x   2 root     sys            2 Aug 17  2018 mnt
   3 drwxr-xr-x   2 root     sys            2 Aug 17  2018 opt
   3 drwxr-xr-x   4 root     sys            4 Aug 17  2018 platform

After some basic system enumeration, I found an unusual directory at the system root; /backup

sunny@sunday:/$ ll backup
total 28
  21 drwxr-xr-x  25 root     sys           28 jan 21 12:56 ..
   2 -rw-r--r--   1 root     root         319 Dec 19  2021 agent22.backup
   3 drwxr-xr-x   2 root     root           4 Dec 19  2021 .
   2 -rw-r--r--   1 root     root         319 Dec 19  2021 shadow.backup

The /backup/ directory contains 2 files, and I looks like I can ready it as sunny

sunny@sunday:/backup$ cat agent22.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
sunny@sunday:/backup$ cat shadow.backup
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

These are system credential hashes from the /etc/shadow file They both are identical

InfoSec LAB

Explorer

Sunday_backup

backup

Interactive Graph View

Backlinks