Cyborg — TryHackMe (Walkthrough)

Task 1: Deploy the room

Task 2: Compromise the system

Compromise the machine and read the user.txt and root.txt

Scan the machine, how many ports are open?

Now let’s fire up our nmap and scan the target:

nmap IP

ANS: 2

What service is running on port 22?

it is obvious and also from the scan result we can see the answer as:

ANS: ssh

What service is running on port 80?

ANS: http

What is the user.txt flag?

For, this I bet we should use ssh, but we don’t have the key yet. so let’s try to get it.

So, let’s fire up “Dirbuster”

Now, From dirbuster scan we found a directory “/admin/”

so going to the link:

Now after searching for a while, and there is the “admins” menu where we find:

These two looks interesting.

so there is also a menu “archive” so go there and download “archive.tar” maybe it will be useful later.

Now, Dirbuster scan also showed that there is a directory “/etc/squid/” so navigating to this endpoint:

Now, going to this endpoint:

This Passwd file seems interesting so lets dig up there we find a hash

Now We don’t have any clue what kind of hash is it. so

Here, It is MD5 hash

let’s try to crack it using “john the ripper”. Save the Hash in a file “hash.txt” and pass it to john to crack it.

maybe we found the password but it is not for the ssh. Now let’s dig in even deeper.

Let’s go untar the “archive.tar” we downloaded earlier.

let’s look at the “README”

Now let’s go to the pointed link it leads to:

Borg Documentation - Borg - Deduplicating Archiver 1.1.16 documentation

So, It must have been used to create backup for something valuable.

Scrolling through it, this seems interesting

let’s follow the link:

But to use it we have to install it first so,

Now We have installed borgbackup but cannot use, as we donot have the filename. So, let’s look what is in the archive:

we can do that by listing using borg

Now, after listing the repo it asks us the password so enter the password we obtained earlier.

Now we know the name of the file so let’s extract it

Now there is a new directory named alex, so let’s dig in there:

after digging in for a while We came across a file :

This must be the password for ssh so let’s try it:

wohooo!! we’re in!

So let’s explore the machine,

So, We found the flag!!

ANS: flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}

What is the root.txt flag?

for this one, We need root access for sure. so let’s look if we can do some privilege escalation.

so, let’s check what permissions do we have

Here We found a bash file that can be run with sudo privilege without password so this can be useful for us. Now, analyze it.

Now, It seems like that it takes an input with a “-c” flag and executes it

So let’s give it a try:

Here We can execute the bash shell but it is not giving any response so let’s give suid bit and try once more:

Dude!! We got the bash shell

voila!! We got the flag!!!

ANS :flag{Than5s_f0r_play1ng_H0p£_y0u_enJ053d}\

CONGRATULATIONS!!!