root         685       2  0 23:37 ?        00:00:00 [kworker/0:4-events]        admin        687     563  0 23:37 pts/0    00:00:00 bash -l                     admin        691     687  0 23:37 pts/0    00:00:00 /usr/bin/python3 /usr/bin/asadmin        694     691  0 23:37 pts/0    00:00:00 /usr/bin/python3 /usr/bin/asadmin        695     691  0 23:37 pts/1    00:00:00 sh -c /bin/bash             admin        696     695  0 23:37 pts/1    00:00:00 /bin/bash                   root         704       2  0 23:37 ?        00:00:00 [kworker/u4:4-events_unboundadmin        957     696  0 23:43 pts/1    00:00:00 ps -ef                      admin@i-0c6e74f29b5339b88:~$ ps -ef | grep web                                  root         580       1  0 23:37 ?        00:00:00 /usr/bin/python3 /home/adminadmin        960     696  0 23:43 pts/1    00:00:00 grep web                    admin@i-0c6e74f29b5339b88:~$ cat /proc/580/mem                                  cat: /proc/580/mem: Permission denied                                           admin@i-0c6e74f29b5339b88:~$ ^Ct /proc/580/mem                                  admin@i-0c6e74f29b5339b88:~$ cd /                                               

[pid   871] <... futex resumed>)        = ?                                     [pid   869] <... futex resumed>)        = ?                                     [pid   871] +++ exited with 2 +++                                               [pid   870] <... futex resumed>)        = ?                                     [pid   869] +++ exited with 2 +++                                               [pid   868] <... nanosleep resumed> <unfinished ...>) = ?                       [pid   870] +++ exited with 2 +++                                               [pid   868] +++ exited with 2 +++                                               +++ exited with 2 +++                                                           admin@i-0b023b3f4c45754c6:~$ ^C                                                 admin@i-0b023b3f4c45754c6:~$ ls                                                 agent  data  datafile  kihei                                                    admin@i-0b023b3f4c45754c6:~$ ll                                                 bash: ll: command not found                                                     admin@i-0b023b3f4c45754c6:~$                                                    

) = 37                                                                          write(2, "  -verbose\n    \tVerbose mode (pr"..., 48  -verbose                          Verbose mode (print extra info)                                         ) = 48                                                                          exit_group(0)                           = ?                                     +++ exited with 0 +++                                                           admin@i-031497702ee010c76:~$ ./kihei -h                                         Usage: ./kihei [options]                                                          -h    Display help                                                              -help                                                                                 Display help                                                              -v    Verbose mode (print extra info)                                           -verbose                                                                              Verbose mode (print extra info)                                         admin@i-031497702ee010c76:~$ chmod 000 /home/admin/data/newdatafile             

write(2, "main.main", 9main.main)                = 9                            write(2, "(", 1()                        = 1                                    write(2, ")\n", 2)                                                              )                      = 2                                                      write(2, "\t", 1        )                       = 1                             write(2, "./main.go", 9./main.go)                = 9                            write(2, ":", 1:)                        = 1                                    write(2, "64", 264)                       = 2                                   write(2, " +", 2 +)                       = 2                                   write(2, "0x47d", 50x47d)                    = 5                                write(2, "\n", 1                                                                )                       = 1                                                     exit_group(2)                           = ?                                     +++ exited with 2 +++                                                           admin@i-04be67f0dc8685ea8:~$                                                    

admin@i-0c469078d13136d60:~$ sudo curl localhost:5000                                                                                                           We trust you have received the usual lecture from the local System              Administrator. It usually boils down to these three things:                                                                                                         #1) Respect the privacy of others.                                              #2) Think before you type.                                                      #3) With great power comes great responsibility.                                                                                                            [sudo] password for admin:                                                      sudo: a password is required                                                    admin@i-0c469078d13136d60:~$ nc localhost5000                                   nc: missing port number                                                         admin@i-0c469078d13136d60:~$ nc localhost 5000                                  G                                                                               

    #2) Think before you type.                                                      #3) With great power comes great responsibility.                                                                                                            [sudo] password for admin:                                                      sudo: a password is required                                                    admin@i-0b509c48b21df0a47:~$ sudo su -                                                                                                                          We trust you have received the usual lecture from the local System              Administrator. It usually boils down to these three things:                                                                                                         #1) Respect the privacy of others.                                              #2) Think before you type.                                                      #3) With great power comes great responsibility.                                                                                                            [sudo] password for admin:                                                      

        [ -q|--quiet ]                                                                  [ -v|--verbose ]                                                                [ -y|--yes ]                                                                    [ -t|--test ]                                                                   [    --commandprofile String ]                                                  [    --config String ]                                                          [    --driverloaded y|n ]                                                       [    --nolocking ]                                                              [    --lockopt String ]                                                         [    --longhelp ]                                                               [    --profile String ]                                                         [    --version ]                                                                                                                                          Use --longhelp to show all options and advanced commands.                     admin@i-075cf9d9f372e0f42:~$                                                    

    2  2023-09-20T15:58:02 exit                                                     3  2023-12-18T23:23:28 ls                                                       4  2023-12-18T23:23:32 vim webserver.py                                         5  2023-12-18T23:23:35 ls -l                                                    6  2023-12-18T23:23:37 sudo -l                                                  7  2023-12-18T23:23:44 sudo view webserver.py                                   8  2023-12-18T23:24:00 ls                                                       9  2023-12-18T23:24:02 ls agent                                                10  2023-12-18T23:24:08 view agent/check.sh                                     11  2023-12-18T23:24:22 netstat -nl4                                            12  2023-12-18T23:24:29 curl 127.0.0.1:5000                                     13  2023-12-18T23:24:40 curl -v 127.0.0.1:5000                                  14  2023-12-18T23:25:09 history                                              admin@i-091ee8f6864cabf76:~$ view .bash_history                                 admin@i-091ee8f6864cabf76:~$                                                    

admin@i-0db08a32edef2fcc2:~$                                                    

lsof      835                    admin  mem       REG              259,1   61712-linux-gnu/libpcre2-8.so.0.10.1                                                 lsof      835                    admin  mem       REG              259,1  190153-linux-gnu/libc-2.31.so                                                         lsof      835                    admin  mem       REG              259,1   16612-linux-gnu/libselinux.so.1                                                      lsof      835                    admin  mem       REG              259,1   17792-linux-gnu/ld-2.31.so                                                           lsof      835                    admin    4r     FIFO               0,11      0tlsof      835                    admin    7w     FIFO               0,11      0tadmin@i-00d15eebefe1eaf63:~$ lsof -nP -iTCP -sTCP:LISTEN                        COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME                        gotty    563 admin    6u  IPv6   1900      0t0  TCP *:8080 (LISTEN)             sadagent 564 admin    7u  IPv6   1875      0t0  TCP *:6767 (LISTEN)             admin@i-00d15eebefe1eaf63:~$ lsof -nP -i                                        

Saving to: ‘index.html’                                                                                                                                         index.html                                           100%[======================                                                                                2023-12-18 12:29:59 (230 KB/s) - ‘index.html’ saved [12/12]                                                                                                     admin@i-0e0c49ce0b601c9b4:~$ cat index.html                                     Unauthorizedadmin@i-0e0c49ce0b601c9b4:~$ ss -tlnp                               State                 Recv-Q                Send-Q                              LISTEN                0                     128                                 LISTEN                0                     128                                 LISTEN                0                     4096                                LISTEN                0                     4096                                LISTEN                0                     128                                 admin@i-0e0c49ce0b601c9b4:~$ wget                                               

tmpfs            5.0M     0  5.0M   0% /run/lock                                /dev/nvme0n1p15  124M  5.9M  118M   5% /boot/efi                                admin@i-034e45a58421c4056:~$ cat /etc/fstab                                     # /etc/fstab: static file system information                                    UUID=811e12d8-f542-4650-9330-8d96633bd90c / ext4 rw,discard,errors=remount-ro,x-UUID=8690-F844 /boot/efi vfat defaults 0 0                                      admin@i-034e45a58421c4056:~$ sudo lsblk -l                                      NAME       MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT                                  nvme1n1    259:0    0    1G  0 disk                                             nvme0n1    259:1    0    8G  0 disk                                             nvme2n1    259:2    0    1G  0 disk                                             nvme0n1p1  259:3    0  7.9G  0 part /                                           nvme0n1p14 259:4    0    3M  0 part                                             nvme0n1p15 259:5    0  124M  0 part /boot/efi                                   admin@i-034e45a58421c4056:~$                                                    

   DISC-ZERO  discard zeroes data                                                      WSAME  write same max bytes                                                       WWN  unique storage identifier                                                 RAND  adds randomness                                                         PKNAME  internal parent kernel device name                                        HCTL  Host:Channel:Target:Lun for SCSI                                          TRAN  device transport type                                               SUBSYSTEMS  de-duplicated chain of subsystems                                          REV  device revision                                                         VENDOR  device vendor                                                            ZONED  zone model                                                                 DAX  dax-capable device                                                                                                                                For more details see lsblk(8).                                                  admin@i-0ffaf8917b90c1ed2:~$ man lsblk                                          

admin        686  0.0  0.9   6740  4540 pts/0    S<s+ 22:25   0:00 bash -l      admin        690  0.8  4.1  98188 19416 pts/0    D<l+ 22:25   0:00 /usr/bin/pyth-t paris/i-07602503257110b80 -q -i 2 /var/log/cast/i-076025032571               admin        693  0.0  3.0  24456 14444 pts/0    R<+  22:25   0:00 /usr/bin/pyth-t paris/i-07602503257110b80 -q -i 2 /var/log/cast/i-076025032571               admin        694  0.0  0.1   2480   512 pts/1    S<s  22:25   0:00 sh -c /bin/baadmin        695  0.0  0.9   6820  4460 pts/1    S<   22:25   0:00 /bin/bash    admin        730  0.0  0.6   8648  3160 pts/1    R<+  22:26   0:00 ps aux       admin@i-07602503257110b80:~$ ps aux | grep nginx                                admin        732  0.0  0.1   5264   640 pts/1    S<+  22:26   0:00 grep nginx   admin@i-07602503257110b80:~$ ps aux | grep apache                               admin        734  0.0  0.1   5264   640 pts/1    S<+  22:26   0:00 grep apache  admin@i-07602503257110b80:~$ ls                                                 agent  webserver.py                                                             admin@i-07602503257110b80:~$ cat webserver.py