Cyborg Room TryHackMe
export IP=10.10.166.13Doing some basic nmap enumeration
$ nmap -sC -sV -v $IP -oN nmap/initial.nmapPorts:
22 ssh
80 http
Looks like there isn't much to explore port-wise. Time to move onto gobuster!
$ gobuster dir -t 64 -u $IP -w ~/wordlists/website_dir/directory-list-2.3-medium.txt -x .txt,.php,.html,.jpg,.png -o gobuster/dir_med.txtDirectories
/admin/
/etc/
Checking out /etc we discover something named squid and a username and hash for it.
Using hashcat to crack the hash
$ hashcat -t 64 -m 1600 '$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.' ~/wordlists/passwords/rockyou.txtReveals the password to be squidward. This, however, does not enable us to login to ssh but the squid proxy
Going to the admin page also reveals more information. There is a note from Alex who basically indicates that he has no idea what he is doing with squid.
There is also a archive tab that when downloading it, reveals it to be a bord backup that we can unextract.
$ borg list final_archiveWhich requires a passphrase, the one we had gotten earlier! This reveals that the backup is named music_archive and we can now extract it
$ borg extract final_archive/::music_archiveWe now have a new folder named home with a user, alex's home directory. Within his home directory he has two files...
These notes reveal his bad memory at remembering passwords, and his password S3cretP@s3.
Logging onto the machine, we can immediately grab the user flag.
And checking his sudo permissions...
Should be a walk in the cake until you realise you can't edit that file :/
But since we are the owner of the file, we can simply chmod it to 7XX!
Add in a
/bin/bash -ipto the file and run as via sudo and viola!
We are complete!
