backup.sh
Checking home directory of the basterd user after making the lateral movement
basterd@Vulnerable:~$ ll
total 16K
4.0K drwxr-x--- 3 basterd basterd 4.0K Aug 22 2019 .
4.0K drwx------ 2 basterd basterd 4.0K Aug 22 2019 .cache
0 -rw------- 1 basterd basterd 0 Aug 22 2019 .bash_history
4.0K drwxr-xr-x 4 root root 4.0K Aug 22 2019 ..
4.0K -rwxr-xr-x 1 stoner basterd 699 Aug 21 2019 backup.shThere is a bash script; backup.sh
basterd@Vulnerable:~$ cat backup.sh
REMOTE=1.2.3.4
SOURCE=/home/stoner
TARGET=/usr/local/backup
LOG=/home/stoner/bck.log
DATE=`date +%y\.%m\.%d\.`
USER=stoner
#superduperp@$$no1knows
ssh $USER@$REMOTE mkdir $TARGET/$DATE
if [ -d "$SOURCE" ]; then
for i in `ls $SOURCE | grep 'data'`;do
echo "Begining copy of" $i >> $LOG
scp $SOURCE/$i $USER@$REMOTE:$TARGET/$DATE
echo $i "completed" >> $LOG
if [ -n `ssh $USER@$REMOTE ls $TARGET/$DATE/$i 2>/dev/null` ];then
rm $SOURCE/$i
echo $i "removed" >> $LOG
echo "####################" >> $LOG
else
echo "Copy not complete" >> $LOG
exit 0
fi
done
else
echo "Directory is not present" >> $LOG
exit 0
fiThe backup.sh file contains a CLEARTEXT credential of the stoner user; superduperp@$$no1knows
I will attempt to validate it against the target SSH server again