Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-28 16:55 PKT
Nmap scan report for 10.10.203.159
Host is up (0.42s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.22 seconds
Scan the machine, how many ports are open?
What service is running on port 22?
What service is running on port 80?
PORT 80 (HTTP)
We can download this tar archive on click the
archive tab also visiting
admin tab we can see some conversation which tells about squid proxy which we have already discoverd
Extracting the tar contents
This is all conmpressed and encrypted using
Borg. Now in order to recover these encrypted files we need to have borg on our machine so let's download the binary from github
It’s asking for a passphrase ,so the hash we saw earlier let’s try to crack it with
We got the
music_archive which was in the conversation so now let's mount it on a folder using the passphrase
It wasn’t really a secret!
And this might be the creds for SSH
Here in this script
getops is intersting which will lead us to privilege escalation
In the while loop
c: is the argument for getops also there is a swtich case for
c which is the command so if we specify a bash command specify -c in the script it will get excecuted as root.
We can get root if we specify
bash after -c but we will run into a problem that we cannot see the output of the commands we are typing so to get a proper root shell we can SUID /bin/bash and can spawn a root shell with it