First, let’s use nmap to run a scan of the ports.
nmap -sV 10.10.35.116 Nmap scan report for 10.10.35.116 Host is up (0.099s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernal
Immediately after running our scan over the top 1000 ports, we can see SSH is open on port 22 and we have an Apache webserver open on port 80.
Upon first visiting the website we get a standard apache page. Next, I’ll use gobuster with a common directory list to see what we can find
The two most interesting directories are admin and etc. Now I had to check /etc first because if this is what I think it is, it could have a passwd or shadw file for us to take.
The directory was not the standard /etc, however it did have a /squid directory which did contain it’s own passwd file
So I’ll grab this file from the server and then use john the ripper to crack it:
And now we have the password to our first account! I am going to first try them as SSH credentials to see if they work, but unfortunately we are out of luck on this avenue:
Fortunately, we still have the /admin page we have not checked out yet, so maybe we can use them there! It’s a pretty standard looking page with no login button. There is no branding either for a CMS such as wordpress. Inspecting the source code renders two working links in the nav, an admin.html and an archive.tar.
I downloaded the archive.tar and when you navigate to admin.html, they have a “shoutbox” that alludes more to the squid proxy we discovered earlier and also a backup for “music_archive”, which is that archive.tar file I assume.
Extracting the Backup
Upon investigating the archive.tar, it appears this seems to be a backup of the user’s home folder. In the home folder we see this .tar was made from borg backup. So we can install that and try to extract it.
First we need to untar the package. I have the file in my downloads dir, so I can run
tar -xvf archive.tar and it will preserve the exact folder structure from the .tar file. Now we need to follow the syntax of borg extract as seen on their website:
So now we need to fill out the entire path which is our ~/Downloads + the file structure of the unzipped file of /home/field/dev/final_archive, and we know from the shoutbox the archive name is music_archive. Let’s put that together:
It also prompts us for the password, it happens to be the same password we cracked from the squid proxy earlier. (Hint! Don’t reuse passwords online for this reason!)
Now after running the command, we have a new /home/alex folder inside of our unzipped archive.tar directory. In the users’ documents directory we find a note.txt with credentials!
With Alex’s credentials, we should be able to now get the user flag we already know exists. Let’s
ls his home directory, and voila, a user.txt file! Our next step is to see what kind of exploits we can use in order to grant us root access.
My first check is to run
sudo -l. This will give us a list of all the commands we can run with root privileges. And we get a single file that we can run:
This is an odd file to have root privileges on. Let’s
cd to the directory. First by running
ls -la we can see that the file only has read and execute privileges, but is owned by us. We can run
chmod +w backup.sh to restore write capabilities.
Now I will replace the contents of the file to just open a new shell by running
echo "/bin/bash" > backup.sh. From before, we know we can execute this file with root privileges and once we do so:
Voila, we are root!
We can go to /root and we can grab our last root.txt flag!