Hello guys back again with another walkthrough this time I’ll be tackling TryHackMe’s Cyborg room. The room was released about 2 hours ago and actually i loved the room since getting both user and root on the box was new to me. You start of by finding a website and the performing a directory brute forcing you get a hashed credential and a borg backup archive which is encrypted. Using the credentials you found, extract the archive and get another user’s credential. Use those credentials to login via SSH user done!!. Then you find the user can run a miconfigured bash script as the root user. Exploit the misconfiguration to get root on the box. It’s a really nice and fun box thanks to the creator of the box fieldraccoon. Without much say let’s jump in
As always we’ll start with a nmap scan of the box. Looking at the result obtain we see that the box has two open ports SSH and HTTP.
SSH generally has fewer vulnerability and requires valid credentials to access it. We have just started enumerating the box and we don’t even have a valid username so for the time being we’ll keep SSH in our back pockets and start by enumerating HTTP.
Opening the website using Mozilla we get a standard Apache default webpage
Before doing any manual enumeration i first decided to run gobuster in the background. Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains
While gobuster was running in the background i decided to check the source code and see if anything stands out but i never got anything interesting
Next i decided to check if robots.txt existed because if it exists we might get some extra paths to enumerate
But looking at the screenshot below i wasn’t so lucky
I decided to go back and check on gobuster and see if it had found any interesting directories and found that it had found two directories /admin and /etc which are not standard
I started by enumerating /etc directory. Looking at the screenshot below it has another directory called squid and inside it it has some credentials and a squid configuration file
The passwd file had Apache hashed credential
I copied the credential to my local box and tried cracking it with John the ripper. John the Ripper is a tool designed to help systems administrators to
find weak (easy to guess or crack through brute force) passwords, and
even automatically mail users warning them about it, if it is desired.
I save the hash in a test file called hash.txt and started cracking using the rockyou wordlist
And after a few seconds we get a password. Sweet!
The passwd file in /etc had a username music_archive and now we have a password. So i tried logging into the box using those credentials. But wasn’t lucky
I continued enumerating the box. Going back to gobuster result we had an admin directory in the website. Next i started to enumerate it. Opening the directory from Mozilla we get a webpage that looks like an admin panel
Most of the links were dead since they had the pound sign (#). But admin led me to something like a chat wall where users were seen to be chatting
And also looking at the screenshot above we get a bunch of usernames that we didn’t have before. So i saved all those username in text file and again tried a hydra SSH brute force using the password we had found from cracking the Apache hash
But still we didn’t have any valid credentials till now but theAdmin Shoutbox page talked something about an archive
And one of the links in the webpage provided us a way to download an archive called archive.tar
I downloaded the archive to my box and tried to extract it’s contents using the command
tar -xvf archive.tar
And we get some extra file and directories to enumerate. The final_archive had some files in it
I tried reading hints.5 and integrity.5 files but it didn’t make much sense at that moment
But there’s a config file. Looking at it i didn’t still get a clear glimpse of what i was supposed to do.
But there was README file. That was my best bet of figuring out what this folder was . I decided to take a look at it
Looking at the screenshot above we now understand that its a borg backup archive. Now i had something to go on. I decided to go online and searched on how to extract borg backup archive and found a manpage of a tool called borg
I searched for the tool on GitHub and found that it existed and even had releases
I downloaded the linux64 bit binary to my box
Now we can extract the contents of the borg backups. But first we have to list the archives using the command
./borg list home/field/dev/final_archive/
I could list the archives present in a borg backup archive. But looking at the screenshot below it required a passphrase
But during our initial recon we had cracked a hash and we had a password. I tried using that password here and it worked!!!
I could list the archive found in the backup
The borg backup had one archive called music_archive
Next i tried extracting the archive using the command
./borg extract home/field/dev/final_archive/::music_archive
Then provided the valid passphrase
And it succeeded i was able to extract a folder called alex
Navigating to the directory it looked like a standard Linux home directory file
I tried to look for juicy file like private SSH keys or password using the find command and found two files that stood out
secret.txt and note.txt
I started by looking at secret.txt file and found it had nothing interesting
But note.txt file had another set of credentials
Sweet!!. Next i tried those credentials for SSH and looking at the screenshot below it worked
We now have a shell on the box. Looking at Alex’s home directory we have the user flag and we can read. Now we can submit the user flag and earn the points
Running sudo -l we find that we could run a binary called backup.sh as the root user
I downloaded the binary to my local box and decided to analyze the source code it was a bash script
First the binary doesn’t use full paths meaning if it was a SUID binary it could have been vulnerable to a PATH manipulation attack but since it uses sudo, we can’t exploit it since sudo uses secure paths
Then i though i could maybe i could exploit how tar compresses to file in Music’s directory but that turned out to be a dead end since the file which are to be compressed have already been predetermine as you can see in the backup_files variable
But the bash script uses getopts which is built-in function to parse arguments and options to a bash script. I didn’t know that function but a little google fu did the job
I’ll leave a link to the article at the end of the writeup
Meaning by passing the bash script -c (since c has been specified in the bash script) argument getopts will takes the argument from the user then parses it to the bash script which is then executed. Sweet Now we have a way to get root on the box. What if we execute bash???
We are root on the box !!!
But whenever we run any command we don’t get any output stdout wasn’t working . The easiest was i found was to add a SUID bit on bash then exiting this shell and using bash binary to get root on the box
Finally we are root on the box. Navigating to root’s home directory we get the root flag
We can now submit the root flag and get the points. That’s it for this walkthrough till next time it’s goodbye from me. If you like the walkthorugh you can clap for me down below and don’t forget to follow me so that you don't miss any upcoming articles