Cyborg
https://tryhackme.com/room/cyborgt8
Nmap
Default root page for the web server points to the Apache2 page.
We can then use feroxbuster
to enumerate further directories and files.
From the results above the /etc/squid/passwd is potentially interesting. Using curl we can read the contents of the file from the terminal.
Reveals the user and hash combination: music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
This was then cracked using John against the rockyou.txt wordlist.
For now, we can keep a note of the cracked password. Looking again at the feroxbuster results we can browse to http://<IP>/admin
which shows the web page below.
Under the Archive drop down menu there is an opporunity to download a archive.tar
compressed archive. This archive is extractable without providing a password.
The archive extracts down into the path: home/field/dev/final_archive/
Looking through the files README.txt
gives indication that the archive was created with Borg Backup.
The command below will install Borg Backup.
Shown below are the commands and linked documentation for listing and extract Borg archives. As shown in the second command the archive can be extract with Borg, where we will be prompted to provide password authentication to decrypt and extract the archive.
After entering the cracked password from earlier, the command below can be used to find interesting files within the newly extract archive which appears to represent the user profile for the user alex.
The note.txt
file in Alex's documents reveals a password for his SSH
login.
After successfully logging in with SSH we are able to check what sudo
permissions Alex has on the target system.
Checking sudo -l
.
Alex has the ability to run sudo
as any user without providing a password on the bash script /etc/mp3backups/backup.sh
.
There is an opportunity to run commands at the end of the script.
Running a command after the script using the -c
parameter allows commands to be executed in the context of root.
reading the contents of /home/alex/.bash_history
also shows where the user alex has used the same methods previously to perform elevated functions with the script.
This allows for the root flag to be read.
For a root shell its possible to use this function to echo in a new root user into /etc/passwd.
Last updated