Cyborg TryHackMe Writeup | By Xploit Ayush
A box involving encrypted archives, source code analysis and more.
Objective: The Objective of this machine is to own the user and root flag by exploiting the vulnerabilities and escalating our privileges from user to root.
You can access the lab here:
TASK 2.1: Scan the machine, how many ports are open?
nmap -sV -sC -A -T4 10.10.22.165
Answer: 2 ports are open 22 and 80
Task 2.2: What service is running on port 22?
Answer: ssh
Task 2.3: What service is running on port 80?
Answer: http
Task 2.4: What is the user.txt flag?
Opening the website by entering the URL.
On checking, we don’t find anything interesting. Looking at the source code nothing fruitful was found.
so what next? let’s brute force using Gobuster
interesting paths are etc
and admin
.
Lets checkout
Hidden directories found:/admin
-> admin panel/etc
-> access to squid proxy files
Browsing to the etc
directory we can find the following hash:
We can crack this hash using john
. You can install John using the following GitHub page. After installing john
run the following command to crack the hash.
john file.txt --wordlist=/usr/share/wordlists/rockyou.txt
Nice we found a password! Going back to the admin section
we can download an archive file by clicking one of the links in the header. Download the archive.tar
file by running:
Now, let’s check what was in the file which we downloaded i.e., archive.tar
For that, we will extract the files using the tar command.
tar -xvf archive.tar
Here,
-x is used for extraction.
-v i for verbose mode.
-f is used for file name
After Checking all the files, I found nothing useful in files except the README file. Thus I opened that file.
Reading the README file using the cat command. CAT gives us the content of the file on the terminal.
cat home/field/dev/final_archive/README
It displayed the above message. To solve this, we need to download borg backup
Now extract the file from the music_archive repository in the given path file
./borg-linux64 list home/field/dev/final_archive
BorgBackup: Deduplicating backup software is called BorgBackup (abbreviated Borg). Compression and verified encryption are supported as options. Borg’s major objective is to offer a reliable and safe method of data backup.
./borg-linux64 list home/field/dev/final_archive/::music_archive
After running the command enter the password which we got from John
Here we got our music_archive repository
Looking for alex user
Move to the alex directory and look for the password
And we found our password.
we find a note with the Alex credentials for SSH.
Lets Login using SSH username & Password
ssh alex@10.10.22.165
BOOM!!!
We got the SHELL!
To get root flag we need to check what permissions or privileges do we have
This one is a little bit tryckier. First type in the command.
sudo -l
Alex can run sudo on the backup script file. We can’t write into the file, but let’s examine the code:
chmod 777 /etc/mp3backups/backup.sh
Remember that we could sudo /etc/mp3backups/backup.sh without a password.
So when we run /bin/bash -p
we will get a new shell as root.
Now move to the root directory then open the root.txt file and here we got our root flag.
cd /root
ls
root.txt
Finally we got our ROOT flag !!!
Now we have all our Answers let’s submit it and we have successfully completed our CTF !!
Keep Trying, Keep Working :)
Thank you for Reading!!
Happy Hacking
Follow me more to get more tips and tricks! 🙏
About the Author :
Tryhackme , ctf , root , nmap , elevation , root.txt , cat.txt , machine , writeup , solution , walkthrough , flag , xploit ayush , Cyborg