Cyborg
This engagement involved discovering exposed credentials through web enumeration and leveraging a misconfigured backup script with sudo privileges to achieve root access.
Reconnaissance
Port scanning revealed the following services:
- SSH (OpenSSH 7.2p2)
- HTTP (Apache 2.4.18)
The web server initially appeared default, prompting directory enumeration for hidden content.
Initial Findings
Hidden directories exposed a hashed credential, which was cracked to reveal access to backup data containing plaintext credentials.
- music_archive : squidward
- alex : S3cretP@s3
Key Finding: Insecure Backup Data
Credentials were stored insecurely within backup archives, allowing attackers to gain valid system access.
Exploitation
After gaining SSH access as alex, sudo permissions revealed a backup script that could be executed as root.
The script accepted user-controlled input, enabling arbitrary command execution:
sudo /etc/mp3backups/backup.sh -c "/bin/bash"This resulted in a root shell. Alternatively, modifying the script directly also allowed privilege escalation.
Impact
This vulnerability chain resulted in full system compromise. An attacker could leverage exposed credentials and misconfigured sudo permissions to execute arbitrary commands as root.
In a real-world environment, this would allow complete control over the system, including data access, persistence, and potential lateral movement across infrastructure.
- Backup systems often expose sensitive information
- Plaintext credentials should never be stored in backups
- Sudo scripts must not accept user-controlled input
- Misconfigured privileges can lead to full compromise
- Understanding scripts is key to finding escalation paths