Stall Mucking Report
Location: East Wing
Problem
Thank you Madam or Sir for the help that you bring! I was wondering how I might rescue my day. Finished mucking out stalls of those pulling the sleigh, My report is now due or my KRINGLE's in a sling! There's a samba share here on this terminal screen. What I normally do is to upload the file, With our network credentials (we've shared for a while). When I try to remember, my memory's clean! Be it last night's nog bender or just lack of rest, For the life of me I can't send in my report. Could there be buried hints or some way to contort, Gaining access - oh please now do give it your best! -Wunorse Openslae Complete this challenge by uploading the elf's report.txt file to the samba share at //localhost/report-upload/
Hints
Wunorse Openslae introduces this terminal:
What was that password?
Golly, passwords may be the end of all of us. Good guys can't remember them, and bad guess can guess them!
I've got to upload my chore report to my manager's inbox, but I can't remember my password.
Still, with all the automated tasks we use, I'll bet there's a way to find it in memory...
Wunorse also provides a link to a webpage on Plaintext Credentials in Commands: https://blog.rackspace.com/passwords-on-the-command-line-visible-to-ps
Solution
When user credentials are passed to a program as options on the command line, that data can be discovered by using the process list command 'ps'. By default, ps only shows a condensed version of the command that was run, but by adding -w to the list of options, it will expand the output to contain the entire command.
elf@a9fa7c1c0588:~$ ps -efww USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 17952 2952 pts/0 Ss 02:53 0:00 /bin/bash /sbin/init root 10 0.0 0.0 49532 3180 pts/0 S 02:53 0:00 sudo -u manager /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload root 11 0.0 0.0 49532 3244 pts/0 S 02:53 0:00 sudo -E -u manager /usr/bin/python /home/manager/report-check.py root 15 0.0 0.0 45320 3068 pts/0 S 02:53 0:00 sudo -u elf /bin/bash manager 16 0.0 0.0 33848 8080 pts/0 S 02:53 0:00 /usr/bin/python /home/manager/report-check.py manager 17 0.0 0.0 9500 2428 pts/0 S 02:53 0:00 /bin/bash /home/manager/samba-wrapper.sh --verbosity=none --no-check-certificate --extraneous-command-argument --do-not-run-as-tyler --accept-sage-advice -a 42 -d~ --ignore-sw-holiday-special --suppress --suppress //localhost/report-upload/ directreindeerflatterystable -U report-upload elf 18 0.0 0.0 18208 3272 pts/0 S 02:53 0:00 /bin/bash manager 21 0.0 0.0 4196 680 pts/0 S 02:53 0:00 sleep 60 root 23 0.0 0.0 316664 15408 ? Ss 02:53 0:00 /usr/sbin/smbd root 24 0.0 0.0 308372 5772 ? S 02:53 0:00 /usr/sbin/smbd root 25 0.0 0.0 308364 4532 ? S 02:53 0:00 /usr/sbin/smbd root 27 0.0 0.0 316664 5820 ? S 02:53 0:00 /usr/sbin/smbd elf 30 0.0 0.0 36636 2856 pts/0 R+ 02:53 0:00 ps auxww
We can see here that the username is report-upload and the password is directreindeerflatterystable, a nod to the popular "correct horse battery staple" xkcd comic.
elf@c4110f38517c:~$ ls -l total 4 -rw-r--r-- 1 elf elf 513 Dec 27 02:53 report.txt elf@c4110f38517c:~$ smbclient //localhost/report-upload directreindeerflatterystable -U report-upload WARNING: The "syslog" option is deprecated Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] smb: \> put report.txt putting file report.txt as \report.txt (250.5 kb/s) (average 250.5 kb/s) smb: \> Terminated elf@c4110f38517c:~$ You have found the credentials I just had forgot, And in doing so you've saved me trouble untold. Going forward we'll leave behind policies old, Building separate accounts for each elf in the lot. -Wunorse Openslae