Cyborg – TryHackMe Walkthrough

featured Anonhack.in Walkthrough hacking

In this walkthrough, we’ll dive deep into the TryHackMe Cyborg challenge. We’ll go step by step, executing every command needed to get root access. Let’s jump right into it.

Machine Details:

  • OS: Linux
  • Difficulty: Easy
  • Skills Required: Web Enumeration, SSH, Privilege Escalation

Step 1: Scanning the Target

We will use nmap to scan our target.

nmap -p- -sV <targetIP>

The scan reveals the following ports:

  • Port 22: SSH
  • Port 80: HTTP

When you visit the website hosted on port 80, you’ll see a default Apache page. Time to start web enumeration.

Step 2: Enumerating the Web

For web enumeration, I’ll use Gobuster to discover hidden directories.

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.log,.txt -t 50

Results:
/admin
/etc

  • On the admin page, navigate to the “Admin”<http://targetIP/admin/admin.html> nav and there will find a chat:
Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier.
I decided to give up like i always do ahahaha sorry about that.
I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process.
Might pass it over to the IT guys but in the meantime all the config files are laying about.
And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol.
other than that im pretty sure my backup "music_archive" is safe just to confirm.

Remember, this it will come handy later.

  • Under the “Archive” tab, there’s a Download link to an archive.rar file.
  • on the /etc page, you will find some hash, keep a note of it, this will help us later

Step 3: unarchiving the archive

Next, we’ll extract the contents of the archive.rar file.

tar -xvf archive.rar

This reveals a directory structure with several files:

home/field/dev/final_archive:

README config hash.txt hints.5 index.5 integrity.5 nonce
  • The README and config files mention Borg, a backup tool known for its efficiency and security.
  • Borg is a deduplication backup tool that is popular for its efficiency, security, and ease of use. It is designed to be a reliable and secure solution for backing up data, particularly for users who need to manage large amounts of data or perform regular backups.
  • Knowning this, I looked at its documentation and found out ways to extract the data from the archive. I used below command to do first extraction:
    • borg extract `pwd`::files


      Note: Use backticks around pwd, or provide the absolute path. Relative paths don’t work well with Borg.
      As you can see, we could not extract it because it requires a passphrase.


  • I suspected the passphrase “music_archive”. I asked ChatGPT about the hash, and it’s an Apache-based hash. I used hashcat to crack it with this command:

    hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

    Result: _squidward_

    Using this on the borg archive worked, but it failed again with the error “Archive files do not exist”.

  • Looked it up online, the reason is “files” is not the archived backup name, its the “music_archive” so I changed the command to following:

    borg extract /home/atomic_j/Downloads/home/field/dev/final_archive/::music_archive

Unpacking this gave away Download directory now under /home/alex, where we found the SSH pass to login to the server as alex.

Step 4: Privilege Escalation

After logging in as alex, I checked sudo privileges:

sudo -l

Result: We can execute backup.sh as root. A quick look at Alex’s .bash_history reveals how to exploit this script to gain root access.

To get the flag, I used this command: