A box involving encrypted archives, source code analysis and more. You can access the room through this link: https://tryhackme.com/room/cyborgt8
Hi everyone, this is Mrinal Prakash aka EMPHAY on TryHackMe and today I am going to take you all to the walkthrough of the room on TryHackMe called “Cyborg” which is a pretty basic beginner friendly room and it falls into the category of easy rooms. So lets go ahead and dive in.
TASK 1: Deploy the machine
I will go ahead and deploy my machine
TASK 2: Compromise the System
Having deloyed my machine, let me hop over to my terminal and perform an nmap scan on our target IP
From nmap scan results I got to know that we have a webserver running on port 80 and when I hop over to that I find a Apache default webpage so I decided to use gobuster to target the hidden directories.
After the enumeration ended, I saw 2 interesting results- /admin and /etc.
So this was the admin page and I also decided to check out etc directory.
There was a squid folder inside etc directory and further I found passwd. The passwd file had Apache hashed credential
I copied the credential to my local machine and tried cracking it with John the ripper. You can do that by using the following command.
john <stored hash> — wordlist=<Location of the wordlist file>
Having cracked the password I tried to login using ssh but I couldn’t because that was the wrong credential we were using.
But I remember I saw some usernames in the admin directory, I prepared a list for all those
and then decided to use hydra to brute force the ssh credentials but that went in vain.
One of the links in the webpage provided us a way to download an archive called archive.tar
I clicked on that and downloaded an archive.tar file
I extracted the contents of the file.
And got some extra file and directories to enumerate. The final_archive had some files in it.
I tried reading hints.5
and integrity.5 files
but it didn’t make much sense at that all. I was like,
But there was also a config file that was present in there. I decided to cat that out.
I still did not understand anything, my mind to me:
but there was README file which could have helped. I decided to take a look at it.
It said that “This is a Borg Backup repository” and also there was a link attached to it. I hopped over to that website.
I searched for the tool on GitHub and found that it existed and even had releases
Now I can extract the contents of the borg backups but before that I have to list the archives but it required a paraphrase so I tried the password which I had got from john and it worked and it showed music_archive.
Next, I extracted the archive.
A new folder was created in the home directory called alex. Using the find command to look for juicy stuffs like private SSH keys or password
and I found a note.txt. I decided to cat that out.
and there I got the ssh credentials. I logged in using ssh.
I logged in and now my first priority was to find the user flag.
and I found that. Next I tried to check for the sudoers.
From there, I find that I can run a binary called backup.sh as the root user. If you research out a bit you will find that by passing the bash script -c (since c has been specified in the bash script) argument getopts will takes the argument from the user then parses it to the bash script which is then executed which is a way to get root on the box. What if we execute bash???
We are root on the box !!!
But whenever we run any command we don’t get any output stdout wasn’t working .
The easiest was I found was to add a SUID bit on bash then exiting this shell and using bash binary to get root on the box.
Finally we are root on the box. I moved into the root folder to get the root flag.
and thus I got the root flag.
1. Scan the machine, how many ports are open?
2. What service is running on port 22?
3. What service is running on port 80?
4. What is the user.txt flag?
5. What is the root.txt flag?
This completes our room and that was it from me. If you enjoyed reading this, do give it a clap and follow me on medium. If you face any problem regarding any solution, feel free to reach me out. Hope you enjoyed reading my work. If you really liked this article, then follow me on medium and follow me up on Twitter and connect with me on LinkedIn. Till then goodbye from my side and Happy Hacking.