TryHackMe: Cyborg

Room: https://tryhackme.com/room/cyborgt8

Box Enumeration

First, let’s use nmap to run a scan of the ports.

nmap -sV 10.10.35.116

Nmap scan report for 10.10.35.116
Host is up (0.099s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernal

Immediately after running our scan over the top 1000 ports, we can see SSH is open on port 22 and we have an Apache webserver open on port 80.

Upon first visiting the website we get a standard apache page. Next, I’ll use gobuster with a common directory list to see what we can find

The gobuster enumeration results

The two most interesting directories are admin and etc. Now I had to check /etc first because if this is what I think it is, it could have a passwd or shadw file for us to take.

The directory was not the standard /etc, however it did have a /squid directory which did contain it’s own passwd file

So I’ll grab this file from the server and then use john the ripper to crack it:

I use wget to retrieve the file and then pass that to john the ripper with the rockyou wordlist

And now we have the password to our first account! I am going to first try them as SSH credentials to see if they work, but unfortunately we are out of luck on this avenue:

No go on ssh credentials

Fortunately, we still have the /admin page we have not checked out yet, so maybe we can use them there! It’s a pretty standard looking page with no login button. There is no branding either for a CMS such as wordpress. Inspecting the source code renders two working links in the nav, an admin.html and an archive.tar.

Source code of the site, only two active links

I downloaded the archive.tar and when you navigate to admin.html, they have a “shoutbox” that alludes more to the squid proxy we discovered earlier and also a backup for “music_archive”, which is that archive.tar file I assume.

The shoutbox

Extracting the Backup

Upon investigating the archive.tar, it appears this seems to be a backup of the user’s home folder. In the home folder we see this .tar was made from borg backup. So we can install that and try to extract it.

First we need to untar the package. I have the file in my downloads dir, so I can run tar -xvf archive.tar and it will preserve the exact folder structure from the .tar file. Now we need to follow the syntax of borg extract as seen on their website:

Snippet from the official docs

So now we need to fill out the entire path which is our ~/Downloads + the file structure of the unzipped file of /home/field/dev/final_archive, and we know from the shoutbox the archive name is music_archive. Let’s put that together:

borg extract

It also prompts us for the password, it happens to be the same password we cracked from the squid proxy earlier. (Hint! Don’t reuse passwords online for this reason!)

Now after running the command, we have a new /home/alex folder inside of our unzipped archive.tar directory. In the users’ documents directory we find a note.txt with credentials!

Access Granted!

Machine Access

With Alex’s credentials, we should be able to now get the user flag we already know exists. Let’s ls his home directory, and voila, a user.txt file! Our next step is to see what kind of exploits we can use in order to grant us root access.

My first check is to run sudo -l. This will give us a list of all the commands we can run with root privileges. And we get a single file that we can run:

Our one file for root entry

This is an odd file to have root privileges on. Let’s cd to the directory. First by running ls -la we can see that the file only has read and execute privileges, but is owned by us. We can run chmod +w backup.sh to restore write capabilities.

Now I will replace the contents of the file to just open a new shell by running echo "/bin/bash" > backup.sh. From before, we know we can execute this file with root privileges and once we do so:

Look at me, I am the captain now

Voila, we are root!

We can go to /root and we can grab our last root.txt flag!

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *