In this walkthrough, we’ll dive deep into the TryHackMe Cyborg challenge. We’ll go step by step, executing every command needed to get root access. Let’s jump right into it.
Machine Details:
- OS: Linux
- Difficulty: Easy
- Skills Required: Web Enumeration, SSH, Privilege Escalation
Step 1: Scanning the Target
We will use nmap to scan our target.
nmap -p- -sV <targetIP>
The scan reveals the following ports:
- Port 22: SSH
- Port 80: HTTP
When you visit the website hosted on port 80, you’ll see a default Apache page. Time to start web enumeration.
Step 2: Enumerating the Web
For web enumeration, I’ll use Gobuster to discover hidden directories.
gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.log,.txt -t 50
Results:
/admin
/etc
- On the admin page, navigate to the “Admin”<http://targetIP/admin/admin.html> nav and there will find a chat:
Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy i mentioned earlier.
I decided to give up like i always do ahahaha sorry about that.
I heard these proxy things are supposed to make your website secure but i barely know how to use it so im probably making it more insecure in the process.
Might pass it over to the IT guys but in the meantime all the config files are laying about.
And since i dont know how it works im not sure how to delete them hope they don't contain any confidential information lol.
other than that im pretty sure my backup "music_archive" is safe just to confirm.
Remember, this it will come handy later.
- Under the “Archive” tab, there’s a
Download
link to anarchive.rar
file. - on the /etc page, you will find some hash, keep a note of it, this will help us later
Step 3: unarchiving the archive
Next, we’ll extract the contents of the archive.rar
file.
tar -xvf archive.rar
This reveals a directory structure with several files:
home/field/dev/final_archive:
README config hash.txt hints.5 index.5 integrity.5 nonce
- The README and config files mention Borg, a backup tool known for its efficiency and security.
- Borg is a deduplication backup tool that is popular for its efficiency, security, and ease of use. It is designed to be a reliable and secure solution for backing up data, particularly for users who need to manage large amounts of data or perform regular backups.
- Knowning this, I looked at its documentation and found out ways to extract the data from the archive. I used below command to do first extraction:
borg extract `pwd`::files
Note: Use backticks around
pwd
, or provide the absolute path. Relative paths don’t work well with Borg.
As you can see, we could not extract it because it requires a passphrase.
I suspected the passphrase “music_archive”. I asked ChatGPT about the hash, and it’s an Apache-based hash. I used hashcat to crack it with this command:
hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Result:
_squidward_
Using this on the borg archive worked, but it failed again with the error “Archive files do not exist”.
- Looked it up online, the reason is “files” is not the archived backup name, its the “music_archive” so I changed the command to following:
borg extract /home/atomic_j/Downloads/home/field/dev/final_archive/::music_archive
Unpacking this gave away Download
directory now under /home/alex
, where we found the SSH pass to login to the server as alex.
Step 4: Privilege Escalation
After logging in as alex
, I checked sudo privileges:
sudo -l
Result: We can execute backup.sh
as root. A quick look at Alex’s .bash_history
reveals how to exploit this script to gain root access.
To get the flag, I used this command: