Web Enumeration and Privilege Escalation Through Backups | TryHackMe Cyborg

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on guys so we're back to some offensive security work and in today's video we're going to talk about the cyborg machine from thm so i have outlined here the steps that it will take to reach the root so the first step as you can see which happens to be the same all the time is the scanning and the reconnaissance so we find here through an nmap scan that we have two open ports or i remember there were three so the first one was 80 where we have http and the next one is 22 where there is an ssh after we learn that we have an http server we we decide to go over the page so once opening the page we will see it's only apache right so we decided to step to um web enumeration phase so the web enumeration starts always with directory search so we fire go buster okay and we use you can use any word list but there are some word lists that will not work for the scenario so i recommend you guys to stick with a word list called uh medium directory medium you can find this under directory buster director directory buster uh directory master directory all right so upon executing that we find that we have two directories we reveal two directories the first one is admin and the other one is etc so imagine that we have stumbled upon an etc uh page inside the web server so normally etc is a directory in the linux file system so weird enough we find this in a web server so basically slash etc reveals a hash so here you will find hash okay and slash admin you will be able to download what we call an archive so borg archive borg archive so what is a borg archive so basically guys borg is a type of backup software so you can use borg you can find on the web to perform backups the features of borg as a backup software are two first one is deduplication this application means that it only back backs up the changes so if you are doing daily backups it can only backup the files that have changed right perfect tool for braille backup and the next one is encryption you can encrypt your backups so that's about pork now once we learn how pork works we'll be able to reveal the content of the archive using the hash we have found from here okay and once we do that inside the archive we will be led into another password the password here will be used as you can see or marks the stage credential disclosure so here the password is the credential disclosure phase once we review credentials we head to ssh we login so through ssh we start the privileged escalation phase now in the privilege escalation phase there is a chrome tab running or a yeah a script called backup not sh running as a cron job so by looking at the script we find that it accepts an argument dash c to execute a command here okay and backup message is running as root so what do we do here we can control the parameter cmd and here we use this command so we give assign suet bit to the bin bash okay and after that we will be able to execute or get root access by executing bash dash p so that is in a nutshell let's now step to the practical scenario [Music] so i said earlier we have two open ports 22 and 80. now we can open the browser now we know that the page will open the default apache so we're going to step right away to the stage where we do web enumeration so basically we're going to use go buster or directory brute force sudo go buster dir dash u http 10 226 28 and then we define the word list user share or lists dir directory list medium do we have medium it's 2.3 medium so we use this one and we have the browser open now we're gonna we can now navigate to the page yep i'm gonna disable perp so this is the page as you can see the default apache 2.0 default page let me go back as you can see we have admin and etc we have revealed two directories we're gonna stop here navigate open new tab to btc and here to admin [Music] all right so what do we have here we have this page music achievements to remind me i'm cool and set up childhood so we have what seems to be music production page and on slash etc we see directory called squid now skuid is an http proxy that's it we click on that as you can see we have the conf the configuration of the squid and we have password file now our curiosity will lead us to open the password file first so we're going to click on that and we see we have a username which seems to be username and a hash keep this as is let's go back here we have this quick configuration and it is located as you can see under etc so nothing to do with this quick configuration for now and i hope i go back and click on the password keep this as is and check the page back so we have albums admins archive if you click on admins you will see admin shoot out box where people get to talk with each each other about music and here you will notice that there's a note here interesting one says okay sorry guys i think i messed up some something up i was playing around with this quid proxy i mentioned earlier i decided to give up like i always do sorry about that i heard these proxy things are supposed to make your website secure but i barely know how to use it so i'm probably making it more insecure in the process might pass it over to the it guys but in the meantime all the config files are laying about and since i don't know how it works i am not sure how to read so basically the note is hinting or giving you hints that uh the about the script proxy and that you should look for its configuration file now google link you will find that the script proxy configuration are located under etc that's how you guess to go to you guess that there's a directory called utc but you don't need to uh even if you didn't get the hint from here it's enough that you have run go buster and you have revealed the etc actually to be able to discover the credentials here so now the next step now is to crack the hash okay the first thing in cracking any hash is identifying the type of the hash this can be done several methods offline and online we're going to first start with the offline method hash identifier paste so it's md5 apr okay now we use hashcat now the mode for md5 apr is actually 1600. now you can find all of the modes of all the kind of hashes using hashcat table online i have stated that several times in my previous videos just google and type hashcat modes you will be able to find the modes and the corresponding hashtags so for now we're going to go ahead and start hashcat so sudo sudo you can just type it like that hash okay dash a0 and then we define the mode okay uh one thing we forgot actually is to add the hash to a file so we're gonna copy the hash and nano hash okay now back to hashcat dash a0 dash m and the file that contains the hash and then the word just user share or just talk here now we'll start the hash cracking process and hopefully it will end fast after we crack the hash or in the meantime let's go here and explore or download the archive so in the under the archive here we have listen and we have download if you click on download you will be prompted to download the archive so you're going to save the file under try hack me save okay now while this is running let's go over the archive so as you can see here we have the archive now if you type file archive it's telling you that this is really an archive okay let's go back here so the hash has been cracked and this is the password now if we get back to squid as you can see now the username is music archive and the password is squidward and the next thing is to find a way to just enter this archive what we can do here we can just type tar dash x v f and then the name of the archive okay so have we got discovered home field dev file archive let's see where are the extracted files i'm gonna be better putting this under a one directory it's here huh so cd home cd field cdf cv final so these are the files from the notes here we know that we are inside a borg repository or vocal backup repository so next step now is to extract the archive so in order to do that we're going to need to head to the documentation page and the author of this challenge has written the link here for a reason so you because you need actually to read the documentation in order to extract the archive so i have done that on our behalf and in order to extract the archive we're gonna first have to find out where we are so pwd and this is the current directory so we're gonna now issue borg extract this is the path to the archive and we put two columns with the username so the username is the one that we found here it's music underscore archive so it's borg not warp i think we're gonna have to install this one let's see if this is we can install that using up to install sudo let's try this borg back up uh-huh now we can install this one so if you don't have it just type up the installed board backup i will be able to use the tool although i'm not very fan of challenges where you have to install tools to your own machine because sometimes it creates um some issues on your machine and you may not be ready to solve these issues while you're solving the challenge so some challenge are you know friendly some are kind of hand friendly like this one so now we can use borg let's see okay now enter the passphrase all right so here we get the passphrase all right ls so cd again to home alex so now we get the dump of alex home directory let's check our desktop and with secret cat secret shoot out all the people who have gotten to this stage okay thank you let's go back see the documents eventually we're gonna find this something right so alex secret wow i'm awful at remembering passwords so i have taken my friends advice and noting them down okay now ssh alex okay so now we switch to the machine type e is here okay 10 10 2 eight and of course we're gonna need to copy the password yes all right last step now is to conduct the privilege escalation sudo dash let's see what we can do as soon so we can run this script as all users without the need to provide any password it means which means we can run this as root right sudo etc backup passage but let's now check this script out okay so it starts from here so define dash name it looks for mb3 files sudo t etc backup files okay input y read lines so these are all what seems to be back up for mp3 files so it's getting back up for mp3 files and la and here i can see line y get opts c flag case so this one is taking an argument from the command line and assigning it to the variable command and lastly these are all have to do with the backup inventory files as you can see and this is the destination or the directory where it will host the backups okay these are to state that the backup has been successfully uh performed and lastly we see cmd equal command the argument that we have talked about here it is being assigned to the cmd variable and then it is being echoed out so enough to it's very easy to get the message from here that this script yeah it does some sort of backup but at the same time it takes command line arguments using the switch dash c so what we're going to do now we're going to try to use our privilege from here issue descript as sudo and give it some sort of command to execute so sudo we're going to test out rmi command see everything is running now we saw that the argument is dash c and here we type who am i or id so we get some errors about files not specified for backup but lastly as you can see the command this is the output of the command so as you can see it is telling us that this is the id is root so the reason for that is the script or we're running the script as sudo in an elevated mode that's why it's giving us root but it doesn't mean we are roots it means the script is running as root so what do we do now i'm gonna issue one command assign the sub bit set to the bin bash this will assign the sewed bit set to the bin to the bash okay and as there is a root next we will be able to run bin bash now or bash as the root user so bash b id let's see eg id is root so this concludes the challenge now we go to root cat root text and this is the root flag okay now let's go ahead and check out do how many ports are open to what service is running on port 22 ssh whatsapp is running on port 80. what is the user flag i need to get user flag what's the root flag okay this is easy all right let's now grab the user flag cd home cb alex cat user text and this is it guys thank you for watching

Info

Channel: Motasem Hamdan

Views: 3,120

Rating: undefined out of 5

Keywords: cyborg, THM, ctf

Id: pv75bO2yVY8

Channel Id: undefined

Length: 21min 15sec (1275 seconds)

Published: Tue Apr 26 2022