Header Ads

TryHackMe Cyborg Writeup

August 17, 2021 0


 

Hi, Hackers! Today we will solve TryHackMe room Cyborg. This room is created by fieldraccoon. So without wasting time, Let's jump into the challenge.

Reconnaissance:

The first thing we do to solve a machine is recon. Let's do some. Scan the machine for open ports. I have used rustscan. It's much faster than nmap.

$rustscan -a ip --ulimit 5000 -- -A -oN rustscan.txt



Ok, we have two ports open, 22 and 80. The services are ssh and http. Let's visit port 80.



Looks like it's a apache server. After checking the source code, I found nothing. Not a single clue. Let's search for hidden directory with gobuster.

$gobuster dir -u http://ip -w ........../wordlist.txt



Bingo! We have found two hidden directories. We should see what's in there.



In /admin directory, this looks like a website of a music lover named Alex. After visiting the website, we found some messages in /admin/admins directory.



Looks like he is in a problem with squid proxy and he has a backup named music_archive. Here, we have a archive directory and we can download a archive file. Interesting!!

Ok. Let's visit /etc. Shall we?

We have a passwd file and squid configuration file. In passwd file we have found a credential. 

I think the credential will come to use for that file we downloaded.

Now, the credential we found is a hash. Let's find out which one. I used hash-identifier. You can use hashid also. It's your choice.



Looks like, it's a md5(apr) hash. We should fire up john to crack the hash. 

$john hash.txt --wordlist=......./rockyou.txt



At last, we have cracked the password. The pass is squidward . Now, let's focus on the file we downloaded from the site. It's a archive file. So we have to extract it.

$tar -xf archive.tar

Nothing is useful here except a config file and a readme file.

That config file is hard to understand. But in readme file, we found a link. Let's give it a visit.



It's a documentation site of BorgBorgBackup (short: Borg) is a deduplicating backup program. Optionally, it supports compression and authenticated encryption. To understand Borg better, we have to install it on our local machine. If you use Debian like Kali and Parrot OS, then it's easy for you to install borg.

$sudo apt-get install borgbackup

Then, go to help menu of borg.

$borg -h

Borg has so many commands. You can use borg list to list the contents of a repository or an archive. With borg extract , you can extract the contents of an archive. So we have to list repositories in final_archive. Go to final_archive and type

$borg list .



We have a archive named music_archive. Now we have to extract from that. That cracked password will come to use now I think.

$borg extract path/to/archive::archive

It's a home directory of alex. Let's see if we find something useful.

We have found two text files. We should see what's in them.

secret.txt---



note.txt---



In this file, we found another credential. This should be a credential for ssh.



Well, this is! We're in. Here, we can find user flag. 



Privilege Escalation:

Let's find a way to get the root flag. User alex might have sudo privilege. Run sudo -l command.

$sudo -l

User alex can run a command with sudo. In /etc directory, there is a backup.sh file. Let's see what's in that file.

It's a bash script to backup music files. As it can be run as sudo and it's a bash file, we can run /bin/bash as sudo. It should give us root access. You can find useful Linux privilege escalation techniques in GTFOBins. Write /bin/bash at the end of the backup.sh file and execute it with sudo.

Bingo! We're now root user. Let's find root flag.


That's all for today. Happy Hacking😊😊

Tags:

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.