Terminal - Linux Path
I find SugarPlum Mary in the room off the left side of the quad, between the NetWars and Speak Unpreparedness Room:
Oh me oh my - I need some help!
I need to review some files in my Linux terminal, but I can’t get a file listing.
I know the command is ls, but it’s really acting up.
Do you think you could help me out? As you work on this, think about these questions:
- Do the words in green have special significance?
- How can I find a file with a specific name?
- What happens if there are multiple executables with the same name in my $PATH?
Going into the terminal, I’ve got a prompt:
K000K000K000KK0KKKKKXKKKXKKKXKXXXXXNXXXX0kOKKKK0KXKKKKKKK0KKK0KK0KK0KK0KK0KK0KKKKKK 00K000KK0KKKKKKKKKXKKKXKKXXXXXXXXNXXNNXXooNOXKKXKKXKKKXKKKKKKKKKK0KKKKK0KK0KK0KKKKK KKKKKKKKKKKXKKXXKXXXXXXXXXXXXXNXNNNNNNK0x:xoxOXXXKKXXKXXKKXKKKKKKKKKKKKKKKKKKKKKKKK K000KK00KKKKKKKKXXKKXXXXNXXXNXXNNXNNNNNWk.ddkkXXXXXKKXKKXKKXKKXKKXKKXK0KK0KK0KKKKKK 00KKKKKKKKKXKKXXKXXXXXNXXXNXXNNNNNNNNWXXk,ldkOKKKXXXXKXKKXKKXKKXKKKKKKKKKK0KK0KK0XK KKKXKKKXXKXXXXXNXXXNXXNNXNNNNNNNNNXkddk0No,;;:oKNK0OkOKXXKXKKXKKKKKKKKKKKKK0KK0KKKX 0KK0KKKKKXKKKXXKXNXXXNXXNNXNNNNXxl;o0NNNo,,,;;;;KWWWN0dlk0XXKKXKKXKKXKKKKKKKKKKKKKK KKKKKKKKXKXXXKXXXXXNXXNNXNNNN0o;;lKNNXXl,,,,,,,,cNNNNNNKc;oOXKKXKKXKKXKKXKKKKKKKKKK XKKKXKXXXXXXNXXNNXNNNNNNNNN0l;,cONNXNXc',,,,,,,,,KXXXXXNNl,;oKXKKXKKKKKK0KKKKK0KKKX KKKKKKXKKXXKKXNXXNNXNNNNNXl;,:OKXXXNXc''',,''''',KKKKKKXXK,,;:OXKKXKKXKKX0KK0KK0KKK KKKKKKKKXKXXXXXNNXXNNNNW0:;,dXXXXXNK:'''''''''''cKKKKKKKXX;,,,;0XKKXKKXKKXKKK0KK0KK XXKXXXXXXXXXXNNNNNNNNNN0;;;ONXXXXNO,''''''''''''x0KKKKKKXK,',,,cXXKKKKKKKKXKKK0KKKX KKKKKKKXKKXXXXNNNNWNNNN:;:KNNXXXXO,'.'..'.''..':O00KKKKKXd'',,,,KKXKKXKKKKKKKKKKKKK KKKKKXKKXXXXXXXXNNXNNNx;cXNXXXXKk,'''.''.''''.,xO00KKKKKO,'',,,,KK0XKKXKKK0KKKKKKKK XXXXXXXXXKXXXXXXXNNNNNo;0NXXXKKO,'''''''.'.'.;dkOO0KKKK0;.'',,,,XXXKKK0KK0KKKKKKKKX XKKXXKXXXXXXXXXXXNNNNNcoNNXXKKO,''''.'......:dxkOOO000k,..''',,lNXKXKKXKKK0KKKXKKKK KXXKKXXXKXXKXXXXXXXNNNoONNXXX0;'''''''''..'lkkkkkkxxxd'...'''',0N0KKKKKXKKKKKK0XKKK XXXXXKKXXKXXXXXXXXXXXXOONNNXXl,,;;,;;;;;;;d0K00Okddoc,,,,,,,,,xNNOXKKKKKXKKKKKKKXKK XXXXXXXXXXXXXXXXXXXXXXXONNNXx;;;;;;;;;,,:xO0KK0Oxdoc,,,,,,,,,oNN0KXXKKXKKXKKKKKKKXK XKXXKXXXXXXXXXXXXXXXXXXXXWNX:;;;;;;;;;,cO0KKKK0Okxl,,,,,,,,,oNNK0NXXXXXXXXXKKKKKKKX XXXXXXXXXXXXXXXXXXXXXXXNNNWNc;;:;;;;;;xKXXXXXXKK0x,,,,,,,,,dXNK0NXXXXXXXXXXXKKXKKKK XKXXXXXXXXXXXXXXXXXXXXNNWWNWd;:::;;;:0NNNNNNNNNXO;,,,,,,,:0NN0XNXNXXXXXXXXXXXKKXKKX NXXXXXXXXXXXXXXXXXXXXXNNNNNNNl:::;;:KNNNNNNNNNNO;,,,,,,;xNNK0NXNXXNXXXXXXKXXKKKKXKK XXNNXNNNXXXXXXXXXXXXXNNNNNNNNNkl:;;xWWNNNNNWWWk;;;;;;;xNNKKXNXNXXNXXXXXXXXXXXKXKKXK XXXXXNNNNXNNNNXXXXXXNNNNNNNNNNNNKkolKNNNNNNNNx;;;;;lkNNXNNNNXXXNXXNXXXXXXXXXXXKKKKX XXXXXXXXXXXNNNNNNNNNNNNNNNNNNNNNNNNNKXNNNNWNo:clxOXNNNNNNNNXNXXXXXXXXXXXXXXXKKXKKKK XXXXNXXXNXXXNXXNNNNNWWWWWNNNNNNNNNNNNNNNNNWWNWWNWNNWNNNNNNNNXXXXXXNXXXXXXXXXXKKXKKX XNXXXXNNXXNXXNNXNXNWWWWWWWWWNNNNNNNNNNNNNWWWWNNNNNNNNNNNNNNNNNNNNNXNXXXXNXXXXXXKXKK XXXXNXXNNXXXNXXNXXNWWWNNNNNNNNNWWNNNNNNNNWWWWWWNWNNNNNNNNNNNNNNNXXNXNXXXXNXXXXKXKXK I need to list files in my home/ To check on project logos But what I see with ls there, Are quotes from desert hobos... which piece of my command does fail? I surely cannot find it. Make straight my path and locate that- I'll praise your skill and sharp wit! Get a listing (ls) of your current directory. elf@81110c98cc25:~$
ls doesn’t list the files as expected:
elf@81110c98cc25:~$ ls This isn't the ls you're looking for
I can use
which to identify the location of a command that will run. If there are multiple binaries with the same name in my PATH, it will show the one that comes first.
On a typical Linux distro,
ls will be in
/bin. For example, on my Kali VM:
root@kali# which ls /usr/bin/ls
But in this terminal, it’s different:
elf@81110c98cc25:~$ which ls /usr/local/bin/ls
I can see that’s just a
bash script to echo out the message I got earlier:
elf@81110c98cc25:~$ cat /usr/local/bin/ls #!/bin/bash echo -e $'This isn\'t the ls you\'re looking for'
One tools that jumps to mind would be
locate, but this ends up not being that helpful here. First, the default search for
locate searches for
*[input]*, so running
locate ls returns tons of stuff, anything with
ls in it. I can eliminate that behavior by running
locate '\ls', but then I get this:
elf@82aaea9e07af:~$ locate '\ls' locate: warning: database '/var/cache/locate/locatedb' is more than 8 days old (actual age is 33.1 days)
The DB is out of date. I can try
updatedb, but it seems I lack permission:
elf@82aaea9e07af:~$ updatedb /usr/bin/updatedb: 320: /usr/bin/updatedb: cannot create /var/cache/locate/locatedb.n: Per mission denied /usr/bin/find: '/root': Permission denied /usr/bin/find: '/var/cache/apt/archives/partial': Permission denied /usr/bin/find: '/var/cache/ldconfig': Permission denied /usr/bin/find: '/var/lib/apt/lists/partial': Permission denied /usr/bin/find: '/etc/ssl/private': Permission denied Failed to generate /var/cache/locate/locatedb.n
A better alternative is
find. I can generate a command to locate all files named
ls on this host. The options I’ll use are:
/- search from the system root
-name ls- for files named
2>/dev/null- get rid of any error messages; there would be a lot since I’m not a root user, and therefore there are a lot of directories I can’t access
The result shows two binaries:
elf@81110c98cc25:~$ find / -name ls 2>/dev/null /usr/local/bin/ls /bin/ls
I can run
/bin/ls to complete the challenge:
elf@81110c98cc25:~$ /bin/ls ' ' rejected-elfu-logos.txt Loading, please wait...... You did it! Congratulations!
On solving, Bushy gives me a hint to look at DeepBlueCLI from Eric Conrad:
Oh there they are! Now I can delete them. Thanks!
Have you tried the Sysmon and EQL challenge?
If you aren’t familiar with Sysmon, Carlos Perez has some great info about it.
Haven’t heard of the Event Query Language?
Check out Ross Wolf’s talk at CircleCityCon.
python3 -m pip install eql . I already had it installed. Now I can open the shell, and load the log file:
root@kali# eql -f sysmon-data.json =================== EQL SHELL =================== Using file sysmon-data.json with 2626 events type help to view more commands eql>
I see it loaded 2626 events.
To find out what tool was used, I started by looking at the processes that were in the logs. I’ll tell EQL that I want queries to output the process name and path:
eql> table process_name, process_path
Now I’ll get a list of unique combinations of process name and path:
eql> search process where true | unique process_name,process_path ============================================================================ process_name process_path ============================================================================ wevtutil.exe C:\Windows\System32\wevtutil.exe cmd.exe C:\Windows\System32\cmd.exe powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe cmd.exe C:\Windows\SysWOW64\cmd.exe net.exe C:\Windows\SysWOW64\net.exe ntdsutil.exe C:\Windows\System32\ntdsutil.exe ============================================================================ 7 results found
The answer immediately jumped out:
ntdsutil.exe is a command line tool that provides management facilities for Active Directory, according to Microsoft documentation. The binary shows up on the page in Mitre ATT&CK for Credential Dumping. Entering
ntdsutil solves the challenge.