mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Add files via upload
This commit is contained in:
parent
e2bf811a5f
commit
ace39fe854
1 changed files with 114 additions and 0 deletions
114
TryHackMe/Cyborg.md
Normal file
114
TryHackMe/Cyborg.md
Normal file
|
@ -0,0 +1,114 @@
|
|||
# TryHackMe-Cyborg
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-28 16:55 PKT
|
||||
Nmap scan report for 10.10.203.159
|
||||
Host is up (0.42s latency).
|
||||
Not shown: 998 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|
||||
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|
||||
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
|
||||
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
||||
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
||||
|_http-title: Apache2 Ubuntu Default Page: It works
|
||||
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
||||
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 30.22 seconds
|
||||
```
|
||||
|
||||
|
||||
## Task 1
|
||||
|
||||
Scan the machine, how many ports are open?
|
||||
|
||||
`2`
|
||||
|
||||
## Task 2
|
||||
|
||||
What service is running on port 22?
|
||||
|
||||
`SSH`
|
||||
|
||||
## Task 3
|
||||
|
||||
What service is running on port 80?
|
||||
|
||||
`HTTP`
|
||||
|
||||
## PORT 80 (HTTP)
|
||||
|
||||
<img src="https://imgur.com/aHhYNcp.png"/>
|
||||
|
||||
Running feroxbuster
|
||||
|
||||
<img src="https://imgur.com/QOd5Uxu.png"/>
|
||||
|
||||
<img src="https://imgur.com/8MCYWOO.png"/>
|
||||
|
||||
```
|
||||
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
|
||||
```
|
||||
|
||||
Navigating to `/admin`
|
||||
|
||||
<img src="https://imgur.com/NL2tIx4.png"/>
|
||||
|
||||
We can download this tar archive on click the `archive` tab also visiting `admin` tab we can see some conversation which tells about squid proxy which we have already discoverd
|
||||
|
||||
<img src="https://imgur.com/Ses5eA6.png"/>
|
||||
|
||||
Extracting the tar contents
|
||||
|
||||
<img src="https://imgur.com/hxOOiJS.png"/>
|
||||
|
||||
<img src="https://imgur.com/3I5ZfsC.png"/>
|
||||
|
||||
This is all conmpressed and encrypted using `Borg`. Now in order to recover these encrypted files we need to have borg on our machine so let's download the binary from github
|
||||
|
||||
<img src="https://imgur.com/CHmjqPK.png"/>
|
||||
|
||||
<img src="https://imgur.com/hoOCDdk.png"/>
|
||||
|
||||
It's asking for a passphrase ,so the hash we saw earlier let's try to crack it with `john`
|
||||
|
||||
<img src="https://imgur.com/j8q1vs1.png"/>
|
||||
|
||||
<img src="https://imgur.com/kOa5yBl.png"/>
|
||||
|
||||
We got the `music_archive` which was in the conversation so now let's mount it on a folder using the passphrase
|
||||
|
||||
<img src="https://imgur.com/jI5jshY.png"/>
|
||||
|
||||
<img src="https://imgur.com/MpO1xPL.png"/>
|
||||
|
||||
<img src="https://imgur.com/NnkwMgi.png"/>
|
||||
|
||||
It wasn't really a secret!
|
||||
|
||||
<img src="https://imgur.com/1F9XXtu.png"/>
|
||||
|
||||
And this might be the creds for SSH
|
||||
|
||||
<img src="https://imgur.com/40R6J7a.png"/>
|
||||
|
||||
Here in this script `getops` is intersting which will lead us to privilege escalation
|
||||
|
||||
<img src="https://imgur.com/sIptnh3.png"/>
|
||||
|
||||
In the while loop `c:` is the argument for getops also there is a swtich case for `c` which is the command so if we specify a bash command specify -c in the script it will get excecuted as root.
|
||||
|
||||
<img src="https://imgur.com/EhNShAz.png"/>
|
||||
|
||||
<img src="https://imgur.com/eZNcueo.png"/>
|
||||
|
||||
We can get root if we specify `bash` after -c but we will run into a problem that we cannot see the output of the commands we are typing so to get a proper root shell we can SUID /bin/bash and can spawn a root shell with it
|
||||
|
||||
<img src="https://imgur.com/M7xG4li.png"/>
|
||||
|
||||
<img src="https://imgur.com/JQ88bfc.png"/>
|
Loading…
Reference in a new issue