Cyborg

January 04, 2024

Task 1 - Deploy the machine

  • Deploy the machine

    • No answer needed

Task 2 - Compromise the system

  • Scan the machine, how many ports are open?

    • 2

  • What service is running on port 22?

    • ssh

  • What service is running on port 80?

    • http

  • What is the user.txt flag?

    • THM

  • What is the root.txt flag?

    • THM

nmap -sC -sV -oN nmap 10.10.47.92 -Pn -vv

# Nmap 7.93 scan initiated Thu Jan  4 15:16:12 2024 as: nmap -sC -sV -oN nmap -Pn -vv 10.10.43.109
Increasing send delay for 10.10.43.109 from 0 to 5 due to 58 out of 192 dropped probes since last increase.
Nmap scan report for 10.10.43.109
Host is up, received user-set (0.31s latency).
Scanned at 2024-01-04 15:16:12 PST for 44s
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dbb270f307ac32003f81b8d03a89f365 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtLmojJ45opVBHg89gyhjnTTwgEf8lVKKbUfVwmfqYP9gU3fWZD05rB/4p/qSoPbsGWvDUlSTUYMDcxNqaADH/nk58URDIiFMEM6dTiMa0grcKC5u4NRxOCtZGHTrZfiYLQKQkBsbmjbb5qpcuhYo/tzhVXsrr592Uph4iiUx8zhgfYhqgtehMG+UhzQRjnOBQ6GZmI4NyLQtHq7jSeu7ykqS9KEdkgwbBlGnDrC7ke1I9352lBb7jlsL/amXt2uiRrBgsmz2AuF+ylGha97t6JkueMYHih4Pgn4X0WnwrcUOrY7q9bxB1jQx6laHrExPbz+7/Na9huvDkLFkr5Soh
|   256 68e6852f69655be7c6312c8e4167d7ba (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5OB3VYSlOPJbOwXHV/je/alwaaJ8qljr3iLnKKGkwC4+PtH7IhMCAC3vim719GDimVEEGdQPbxUF6eH2QZb20=
|   256 562c7992ca23c3914935fadd697ccaab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlr5id6IfMeWb2ZC+LelPmOMm9S8ugHG2TtZ5HpFuZQ
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan  4 15:16:56 2024 -- 1 IP address (1 host up) scanned in 43.88 seconds

After that we can browse the admin section which we can see there is a file in the archive section which we can download.

After download extract the tar file into your directory

After that we can navigate to /etc sub directory in the browser

We can see here we have a MD5 hash that we can crack

We will use john the ripper for hash cracking

After john crack the md5 hash we now have a passphrase key which is squidward

As we navigate to the admin shoutbox we can see some keywords like "music_archive"

Then we can extract the backup using borg command and use "squidward" for key

After that we can now see we have a new user in the home directory

After that we can sudo -l see if there is any commands that we can run using sudo

Then use this command to view the root.txt

Or we can use this other way

Go to the file folder of that sudo file

Then include write permission to that command

just add "/bin/bash" at the end and it will move your privilege to root

PreviousRed Team EngagementNextPre Security

Last updated