Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2025-02-16 12:08:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/TryHackMe/Cyborg.md
AbdullahRizwan101 ace39fe854
Add files via upload
2021-01-28 18:31:16 +05:00

3.2 KiB
Raw Blame History

TryHackMe-Cyborg

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-28 16:55 PKT
Nmap scan report for 10.10.203.159
Host is up (0.42s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.22 seconds

Task 1

Scan the machine, how many ports are open?

2

Task 2

What service is running on port 22?

SSH

Task 3

What service is running on port 80?

HTTP

PORT 80 (HTTP)

Running feroxbuster

music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

Navigating to /admin

We can download this tar archive on click the archive tab also visiting admin tab we can see some conversation which tells about squid proxy which we have already discoverd

Extracting the tar contents

This is all conmpressed and encrypted using Borg. Now in order to recover these encrypted files we need to have borg on our machine so let's download the binary from github

It's asking for a passphrase ,so the hash we saw earlier let's try to crack it with john

We got the music_archive which was in the conversation so now let's mount it on a folder using the passphrase

It wasn't really a secret!

And this might be the creds for SSH

Here in this script getops is intersting which will lead us to privilege escalation

In the while loop c: is the argument for getops also there is a swtich case for c which is the command so if we specify a bash command specify -c in the script it will get excecuted as root.

We can get root if we specify bash after -c but we will run into a problem that we cannot see the output of the commands we are typing so to get a proper root shell we can SUID /bin/bash and can spawn a root shell with it