It has been 488 days since the last update, the content of the article may be outdated.

【THM】Cyborg-Practice

本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/cyborgt8

Difficulty: Easy

Code
1
nmap -p- -sC -sV -T4 10.10.167.166

image-20231127183442388

检查一下发现80端口只是默认的Apache2,这意味着该站点尚未完全配置

为了更深入的挖掘

我们采用gobuster

Code
1
gobuster dir --url http://10.10.167.166/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

image-20231127211243203

发现了一个/admin/etc

image-20231127184309999

访问/etc

Code
1
2
3
/etc/squid/passwd

music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Code
1
2
3
4
5
6
7
8
/etc/squid/squid.conf

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

我们看到这是一个哈希值,所以我们继续破解它。

https://hashcat.net/wiki/doku.php?id=example_hashes

image-20231127185318408

还有另一种方法

Code
1
hash-identifier

image-20231127185530993

image-20231127190130598

squidward

下载了一个 archive.tar 文件。我们将保存此内容以备后用

我们解压一下

image-20231127212321889

我们看到以下文件:

Code
1
config  data  hints.5  index.5  integrity.5  nonce  README

查看readme

Code
1
2
This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/

可以看到,在“用法”部分中,有一个关于使用以下命令 borg extract /path/to/repo::my-files 提取

borgbackup是某种压缩/解压缩工具。您可以使用以下命令安装该工具:

Code
1
apt install borgbackup
Code
1
borg extract /root/下载/home/field/dev/final_archive::music_archive

image-20231127215128499

发现多了一个目录

image-20231127215241649

image-20231127215304179

alex:S3cretP@s3

接下来尝试一下ssh

image-20231127215407994

提权

接下来就是提权了

image-20231127215439002

我们来看一下这个backup.sh

bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt


input="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
  #a="/etc/mp3backups/backed_up_files.txt"
#  b=$(basename $input)
  #echo
#  echo "$line"
#done < "$input"

while getopts c: flag
do
        case "${flag}" in 
                c) command=${OPTARG};;
        esac
done



backup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"

# Where to backup to.
dest="/etc/mp3backups/"

# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"

# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"

echo

# Backup the files using tar.
tar czf $dest/$archive_file $backup_files

# Print end status message.
echo
echo "Backup finished"

cmd=$($command)
echo $cmd

image-20231127220110709

这个可以用-c这个参数来执行

image-20231127220249160

确实可以用root权限来

image-20231127220433927