- Directory brute forcing exposes a file directory with a password hash, and an admin page with an archived backup available for download.
- The password hash can be cracked and used to decrypt the archived backup.
- The backup contains user credentials that can be used to obtain a low-privileged remote SSH connection to the target.
- A misconfiguration in sudoers file allows our low-privileged user to run a bash script as root without password.
- That script is writeable by the low-privileged user and can be replaced with a malicious script to get an interactive high-privileged shell.
Ssh and http are open on ports 22 and 80, respectively.
Dirsearch.py was used with default dicc.txt wordlist and found /etc/ and /admin/ paths.
/etc/ directory contains a couple files, the most important is passwd which has a username and a password hash
/admin/ page has a download link for archive.tar
Extracting the archive and examining it shows all the backed up files, but they are all encrypted.
The README identifies this as a borg backup.
To decrypt, we can crack the password hash found from /etc/squid/passwd.
It is an apache md5 hash, so I used Hashcat mode 1600 and rockyou.txt
This cracked password allows us to mount and decrypt the Borg backup.
# install borg
sudo apt install borgbackup
# mount the borg backup
sudo borg mount <backup path> <mount path>
This is a backup of /home/alex directory on a “music_archive” machine.
/Desktop/secret.txt contains a
/Documents/note.txt contains Alex’s credentials
Using the credentials found in note.txt in the borg backup, we can ssh into the target as Alex.
User.txt is in Alex’s home directory.
Sudoers misconfiguration allows Alex to run /etc/mp3backups/backup.sh script as root without password.
/etc/mp3backups/backup.sh is not writeable, but owned by Alex so we can change its permissions.
Replace contents of backup.sh with bash commands to copy bash to /tmp and then set the suid bit as root.
Then, just run /tmp/bash with -p flag to preserve the suid bit and run bash as root user.