Zombie.md

Author: @JohnHammond#6971

Oh, shoot, I could have sworn there was a flag here. Maybe it's still alive out there?

---

Logging in, we see an interesting .user-entrypoint.sh file:

user@zombie:~$ ls -al
total 24
drwxr-sr-x    1 user     user          4096 Jun 15 22:23 .
drwxr-xr-x    1 root     root          4096 Jun 14 17:52 ..
-rwxr-xr-x    1 user     user          3846 Jun 14 17:52 .bashrc
-rw-r--r--    1 user     user            17 Jun 14 17:52 .profile
-rwxr-xr-x    1 root     root           131 Jun 14 17:52 .user-entrypoint.sh

the contents:

user@zombie:~$ cat ~/.user-entrypoint.sh 
#!/bin/bash

nohup tail -f /home/user/flag.txt >/dev/null 2>&1 & # 
disown

rm -f /home/user/flag.txt 2>&1 >/dev/null

bash -i

This looks like something that might be run upon entry. Just to check we can see our default terminal in /etc/passwd:

user@zombie:~$ cat /etc/passwd | grep user
user:x:1000:1000:Linux User,,,:/home/user:/home/user/.user-entrypoint.sh

Looks like this did indeed run and we can see very clearly the rm function getting rid of the flag. oops. Also notable is the tail -f . The -f flag is a live following, or reading the final lines of the file. We can also see a trailing &, meaning this has been set to background. As for nohup:

$ nohup
BusyBox v1.27.2 (2018-06-06 09:08:44 UTC) multi-call binary.

Usage: nohup PROG ARGS

Run PROG immune to hangups, with output to a non-tty

We can see this prevents accidental closings. This process is likely still running.

user@zombie:~$ ps
PID   USER     TIME   COMMAND
    1 root       0:00 /usr/sbin/sshd -D -e
    7 root       0:00 sshd: user [priv]
    9 user       0:00 sshd: user@pts/0
   10 user       0:00 {.user-entrypoin} /bin/bash /home/user/.user-entrypoint.sh -c bash
   11 user       0:00 tail -f /home/user/flag.txt
   13 user       0:00 bash -i
   18 user       0:00 bash
   25 user       0:00 ps

We do indeed see this process still running with a PID 11. My thinking is perhaps we can see the contents by exploring the PID in /proc/

user@zombie:~$ cd /proc/11/
user@zombie:/proc/11$ ls
arch_status      clear_refs       cpuset           fd               limits           mem              net              oom_score        projid_map       setgroups        stat             task             uid_map
attr             cmdline          cwd              fdinfo           loginuid         mountinfo        ns               oom_score_adj    root             smaps            statm            timens_offsets   wchan
auxv             comm             environ          gid_map          map_files        mounts           numa_maps        pagemap          schedstat        smaps_rollup     status           timers
cgroup           coredump_filter  exe              io               maps             mountstats       oom_adj          personality      sessionid        stack            syscall          timerslack_ns

fd refers to file descriptors, which might contain info from stdin, stdout, etc.

user@zombie:/proc/11$ cd fd
user@zombie:/proc/11/fd$ ls
0  1  2  3
user@zombie:/proc/11/fd$ ls -al
total 0
dr-x------    2 user     user             0 Jun 15 22:42 .
dr-xr-xr-x    9 user     user             0 Jun 15 22:41 ..
lr-x------    1 user     user            64 Jun 15 22:43 0 -> /dev/null
l-wx------    1 user     user            64 Jun 15 22:43 1 -> /dev/null
l-wx------    1 user     user            64 Jun 15 22:43 2 -> /dev/null
lr-x------    1 user     user            64 Jun 15 22:43 3 -> /home/user/flag.txt (deleted)

While we do see that it notes flag.txt is deleted. However, perhaps we can still see something, since the program is still in running memory?

user@zombie:/proc/11/fd$ cat 3
flag{6387e800943b0b468c2622ff858bf744}

And the flag is here. Clearly a simple rm might not be enough to exterminate the file out of existence. However, this situation is probably a little unusual since the tail -f was still running long after the rm command.

flag{6387e800943b0b468c2622ff858bf744}