omuna’s Home
After making a lateral movement to the onuma user, I found a few interesting files at the home directory
onuma@tartarsauce:~$ ll
total 40
drwxrw---- 5 onuma onuma 4096 May 12 2022 ./
drwxr-xr-x 3 root root 4096 May 12 2022 ../
lrwxrwxrwx 1 root root 9 Feb 17 2018 .bash_history -> /dev/null
-rwxrw---- 1 onuma onuma 220 Feb 9 2018 .bash_logout*
-rwxrw---- 1 onuma onuma 3871 Feb 15 2018 .bashrc*
drwxrw---- 2 onuma onuma 4096 May 12 2022 .cache/
-rwxrw---- 1 onuma onuma 52 Feb 17 2018 .mysql_history*
drwxrw---- 2 onuma onuma 4096 May 12 2022 .nano/
-rwxrw---- 1 onuma onuma 655 Feb 9 2018 .profile*
drwxrw---- 2 onuma onuma 4096 jan 23 08:43 .ssh/
-rwxrw---- 1 onuma onuma 0 Feb 9 2018 .sudo_as_admin_successful*
lrwxrwxrwx 1 root root 9 Feb 17 2018 shadow_bkp -> /dev/null
-r-------- 1 onuma onuma 33 jan 23 06:39 user.txt.mysql_history has a 52 bytes of content in it
shadow_bkp is owned by the root user
onuma@tartarsauce:~$ cat .mysql_history
_HiStOrY_V2_
create\040database\040backuperer;
exitThis alone doesn’t reveal much
However, it is something of backup, so I will head over to the /var/backup directory to see somethings up
/var/backup/
onuma@TartarSauce:/var/backups$ ll
total 12472
drwxr-xr-x 2 root root 4096 Jan 23 08:56 ./
drwxr-xr-x 14 root root 4096 May 12 2022 ../
-rw-r--r-- 1 root root 40960 May 2 2018 alternatives.tar.0
-rw-r--r-- 1 root root 2125 Feb 17 2018 alternatives.tar.1.gz
-rw-r--r-- 1 root root 5649 May 1 2018 apt.extended_states.0
-rw-r--r-- 1 root root 787 Feb 20 2018 apt.extended_states.1.gz
-rw-r--r-- 1 root root 778 Feb 15 2018 apt.extended_states.2.gz
-rw-r--r-- 1 root root 768 Feb 12 2018 apt.extended_states.3.gz
-rw-r--r-- 1 root root 731 Feb 9 2018 apt.extended_states.4.gz
-rw-r--r-- 1 root root 437 Feb 9 2018 dpkg.diversions.0
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.1.gz
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.2.gz
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.3.gz
-rw-r--r-- 1 root root 202 Feb 9 2018 dpkg.diversions.4.gz
-rw-r--r-- 1 root root 207 Feb 9 2018 dpkg.statoverride.0
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.1.gz
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.2.gz
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.3.gz
-rw-r--r-- 1 root root 171 Feb 9 2018 dpkg.statoverride.4.gz
-rw-r--r-- 1 root root 510376 May 1 2018 dpkg.status.0
-rw-r--r-- 1 root root 146402 May 1 2018 dpkg.status.1.gz
-rw-r--r-- 1 root root 146472 Feb 21 2018 dpkg.status.2.gz
-rw-r--r-- 1 root root 146472 Feb 21 2018 dpkg.status.3.gz
-rw-r--r-- 1 root root 146030 Feb 15 2018 dpkg.status.4.gz
-rw------- 1 root root 785 Feb 9 2018 group.bak
-rw------- 1 root shadow 681 Feb 9 2018 gshadow.bak
-rw-r--r-- 1 onuma onuma 11511296 Jan 23 08:55 onuma-www-dev.bak
-rw-r--r-- 1 root root 16097 Jan 21 2021 onuma_backup_error.txt
-rw-r--r-- 1 root root 219 Jan 23 08:55 onuma_backup_test.txt
-rw------- 1 root root 1615 Feb 9 2018 passwd.bak
-rw------- 1 root shadow 1067 Feb 20 2018 shadow.bakWhile this appears to be a backup file;onuma-www-dev.bak, onuma_backup_test.txt and onuma_backup_error.txt appear to be log files
onuma@TartarSauce:/var/backups$ cat onuma_backup_test.txt
------------------------------------------------------------------------
Auto backup backuperer backup last ran at : Mon Jan 23 09:00:37 EST 2023
------------------------------------------------------------------------onuma_backup_test.txt shows that the file is part of auto backup backuperer
What is backuperer?
backuperer
onuma@tartarsauce:/var/backups$ find / -name backuperer -ls -type f 2>/dev/null
45907 4 -rwxr-xr-x 1 root root 1701 Feb 21 2018 /usr/sbin/backupererUpon searching for a filename “backuperer”, I found one at /usr/sbin/backuperer
onuma@tartarsauce:/var/backups$ file /usr/sbin/backuperer
/usr/sbin/backuperer: Bourne-Again shell script, UTF-8 Unicode text executableIt’s a bash script
onuma@tartarsauce:/var/backups$ cat /usr/sbin/backuperer
#!/bin/bash
#-------------------------------------------------------------------------------------
# backuperer ver 1.0.2 - by ȜӎŗgͷͼȜ
# ONUMA Dev auto backup program
# This tool will keep our webapp backed up incase another skiddie defaces us again.
# We will be able to quickly restore from a backup in seconds ;P
#-------------------------------------------------------------------------------------
# Set Vars Here
basedir=/var/www/html
bkpdir=/var/backups
tmpdir=/var/tmp
testmsg=$bkpdir/onuma_backup_test.txt
errormsg=$bkpdir/onuma_backup_error.txt
tmpfile=$tmpdir/.$(/usr/bin/head -c100 /dev/urandom |sha1sum|cut -d' ' -f1)
check=$tmpdir/check
# formatting
printbdr()
{
for n in $(seq 72);
do /usr/bin/printf $"-";
done
}
bdr=$(printbdr)
# Added a test file to let us see when the last backup was run
/usr/bin/printf $"$bdr\nauto backup backuperer backup last ran at : $(/bin/date)\n$bdr\n" > $testmsg
# Cleanup from last time.
/bin/rm -rf $tmpdir/.* $check
# Backup onuma website dev files.
/usr/bin/sudo -u onuma /bin/tar -zcvf $tmpfile $basedir &
# Added delay to wait for backup to complete if large files get added.
/bin/sleep 30
# Test the backup integrity
integrity_chk()
{
/usr/bin/diff -r $basedir $check$basedir
}
/bin/mkdir $check
/bin/tar -zxvf $tmpfile -C $check
if [[ $(integrity_chk) ]]
then
# Report errors so the dev can investigate the issue.
/usr/bin/printf $"$bdr\nintegrity check error in backup last ran : $(/bin/date)\n$bdr\n$tmpfile\n" >> $errormsg
integrity_chk >> $errormsg
exit 2
else
# Clean up and save archive to the bkpdir.
/bin/mv $tmpfile $bkpdir/onuma-www-dev.bak
/bin/rm -rf $check .*
exit 0
fi