Cyborg TryHackMe Walkthrough

As always we’ll start with a nmap scan of the box. Looking at the result obtain we see that the box has two open ports SSH and HTTP.

SSH generally has fewer vulnerability and requires valid credentials to access it. We have just started enumerating the box and we don’t even have a valid username so for the time being we’ll keep SSH in our back pockets and start by enumerating HTTP.

Opening the website using Mozilla we get a standard Apache default webpage

Before doing any manual enumeration i first decided to run gobuster in the background. Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains

While gobuster was running in the background i decided to check the source code and see if anything stands out but i never got anything interesting

Next i decided to check if robots.txt existed because if it exists we might get some extra paths to enumerate

But looking at the screenshot below i wasn’t so lucky

I decided to go back and check on gobuster and see if it had found any interesting directories and found that it had found two directories /admin and /etc which are not standard

I started by enumerating /etc directory. Looking at the screenshot below it has another directory called squid and inside it it has some credentials and a squid configuration file

The passwd file had Apache hashed credential

I copied the credential to my local box and tried cracking it with John the ripper. John the Ripper is a tool designed to help systems administrators to
find weak (easy to guess or crack through brute force) passwords, and
even automatically mail users warning them about it, if it is desired.

I save the hash in a test file called hash.txt and started cracking using the rockyou wordlist

And after a few seconds we get a password. Sweet!

The passwd file in /etc had a username music_archive and now we have a password. So i tried logging into the box using those credentials. But wasn’t lucky

I continued enumerating the box. Going back to gobuster result we had an admin directory in the website. Next i started to enumerate it. Opening the directory from Mozilla we get a webpage that looks like an admin panel

Most of the links were dead since they had the pound sign (#). But admin led me to something like a chat wall where users were seen to be chatting

And also looking at the screenshot above we get a bunch of usernames that we didn’t have before. So i saved all those username in text file and again tried a hydra SSH brute force using the password we had found from cracking the Apache hash

But still we didn’t have any valid credentials till now but theAdmin Shoutbox page talked something about an archive

And one of the links in the webpage provided us a way to download an archive called archive.tar

I downloaded the archive to my box and tried to extract it’s contents using the command

tar -xvf archive.tar

And we get some extra file and directories to enumerate. The final_archive had some files in it

I tried reading hints.5 and integrity.5 files but it didn’t make much sense at that moment

But there’s a config file. Looking at it i didn’t still get a clear glimpse of what i was supposed to do.

But there was README file. That was my best bet of figuring out what this folder was . I decided to take a look at it

Looking at the screenshot above we now understand that its a borg backup archive. Now i had something to go on. I decided to go online and searched on how to extract borg backup archive and found a manpage of a tool called borg

I searched for the tool on GitHub and found that it existed and even had releases

I downloaded the linux64 bit binary to my box

Now we can extract the contents of the borg backups. But first we have to list the archives using the command

./borg list home/field/dev/final_archive/

I could list the archives present in a borg backup archive. But looking at the screenshot below it required a passphrase

But during our initial recon we had cracked a hash and we had a password. I tried using that password here and it worked!!!

I could list the archive found in the backup

The borg backup had one archive called music_archive

Next i tried extracting the archive using the command

./borg extract home/field/dev/final_archive/::music_archive

Then provided the valid passphrase

And it succeeded i was able to extract a folder called alex

Navigating to the directory it looked like a standard Linux home directory file

I tried to look for juicy file like private SSH keys or password using the find command and found two files that stood out

secret.txt and note.txt

I started by looking at secret.txt file and found it had nothing interesting

But note.txt file had another set of credentials

Sweet!!. Next i tried those credentials for SSH and looking at the screenshot below it worked

We now have a shell on the box. Looking at Alex’s home directory we have the user flag and we can read. Now we can submit the user flag and earn the points

Running sudo -l we find that we could run a binary called backup.sh as the root user

I downloaded the binary to my local box and decided to analyze the source code it was a bash script

First the binary doesn’t use full paths meaning if it was a SUID binary it could have been vulnerable to a PATH manipulation attack but since it uses sudo, we can’t exploit it since sudo uses secure paths

Then i though i could maybe i could exploit how tar compresses to file in Music’s directory but that turned out to be a dead end since the file which are to be compressed have already been predetermine as you can see in the backup_files variable

But the bash script uses getopts which is built-in function to parse arguments and options to a bash script. I didn’t know that function but a little google fu did the job

I’ll leave a link to the article at the end of the writeup

Meaning by passing the bash script -c (since c has been specified in the bash script) argument getopts will takes the argument from the user then parses it to the bash script which is then executed. Sweet Now we have a way to get root on the box. What if we execute bash???

We are root on the box !!!

But whenever we run any command we don’t get any output stdout wasn’t working . The easiest was i found was to add a SUID bit on bash then exiting this shell and using bash binary to get root on the box

Finally we are root on the box. Navigating to root’s home directory we get the root flag

We can now submit the root flag and get the points. That’s it for this walkthrough till next time it’s goodbye from me. If you like the walkthorugh you can clap for me down below and don’t forget to follow me so that you don't miss any upcoming articles

Getopts usage

backing-up-with-borg

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store