TryHackMe | Cyborg Writeup

TryHackMe’s Cyborg room is an easy-level room involving public file access, hash cracking, backups, and privileged command execution to get root on the target machine. This writeup will go through each step needed to complete the room.

Task 1: Deploy the machine

1. Deploy the machine
We can deploy the target machine by clicking the green “Start Machine” button at the top of the task. Next, we need to connect to the TryHackMe network. I’m using a Kali virtual machine so I’ll connect using OpenVPN.

Starting the target machine

Task 2: Compromise the System

1. Scan the machine, how many ports are open?
We’ll scan the machine using nmap. We want the results to list the services and be very verbose so we’ll use the sV and vv flags. The following will be the command we use:

nmap -sV -vv 10.10.221.75

We see a few open ports on the machine.

Results of the nmap scan

2. What service is running on port 22?
We can answer this question with the results of our nmap scan.

3. What service is running on port 80?
We can answer this question with the results of our nmap scan.

4. What is the user.txt flag?
Let’s go to the web server and see what’s there.

Homepage of the webserver

We’re led to the Apache default page. The source code doesn’t contain anything useful. Let’s do a Gobuster scan with the common.txt wordlist to look for any hidden directories. We’ll use the following command:

gobuster dir -u http://10.10.221.75 -w /usr/share/wordlists/dirb/common.txt

This results in a small list of directories.

Results of the Gobuster scan

The two interesting directories seem to be /admin and /etc. Let’s start with /etc.

Navigating to /etc

There’s a directory called “squid”, let’s see what’s there.

Contents of the squid directory

We found a passwd file and a config file. The config file contains some authentication rules.

Contents of squid configuration file

The passwd file has a username and password hash.

Contents of the passwd file

Let’s copy and paste the hash into a file called hash. Then we can use hashcat to identify the hash using the following command:

hashcat --show hash

Hashcat finding the hash type

We can then start cracking the hash using the following command:

hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt

Within a few seconds we get our password.

Cracking the password

We have a username and password, now we need a place to use it. Let’s go to the /admin directory.

Admin page

We find a blog that’s been set up. There’s a page called admin.html which leads to a conversation between the admins.

Conversation

It looks like the music_archive user we found earlier probably isn’t a user, but the name of a backup. There’s a dropdown tab that says archive, we can see a download button there which downloads a file called archive.tar.

Archive file

When we extract the archive.tar file we are given a directory called “home”. Inside that is a bunch of single directories which lead to one called “final archive” where we find some things inside.

Files inside final_archive

The README file says that this is a backup repository and tells us to read the documentation.

README file

Reading through the documentation, we can install Borg and extract the files. We can use the following command to extract it:

borg extract home/field/dev/final_archive::music_archive

We’re then asked for the password that we cracked earlier. When we look back in the home directory a new directory has appeared.

New directory

This new directory contains the home directory for Alex. The Desktop directory has a note congratulating us for getting this far, but the Documents directory has login credentials.

Finding the credentials for Alex

Let’s use these credentials to SSH into the target. Once logged in, we can list the files in this user’s directory and get the user flag.

Getting the user flag

With the user flag down, we can start looking for privilege escalation techniques.

5. What is the root.txt flag?
I find the easiest way to look for escalation vectors is to list our sudo permissions using “sudo -l”. This lists a script we can run as root.

Able to run backup.sh as root

If we look at the script, we own the file but do not have write permission. We can add that using the following command:

chmod +w /etc/mp3backups/backup.sh

Before changing permissions

After changing permissions

At this point, having write permissions allow us to do pretty much whatever we want to get root. Before escalating though, let’s look at the script and see what it does.

The scripts too long for a screenshot, but it pretty much just takes mp3 files and backs them up. There is one thing that can be exploited for escalation though because it accepts a command when the script executes.

Taking in a command

After accepting the command, it executes it at the end of the script.

Executing the command

We can test this by executing the script and specifying a command. We’ll use the following to try it with the whoami command:

sudo /etc/mp3backups/backup.sh -c whoami

At the end of the output the script tells us that it is being run as root.

Executing our command

We could definitely use this to cat the root flag, but let’s have a little fun. Let’s use this script to replace the /etc/passwd file with one that contains a new person as a root user, that way we can login as root. We’ll start by copying the /etc/passwd file to one that we can edit using the following command:

cp /etc/passwd file

This adds a file called “file” to our directory that contains the contents of /etc/passwd. We can then copy and paste the root entry to the bottom and replace the root name with ours.

Adding our entry to the file

Next we need to generate a password for our malicious user. We’ll use openssl to generate this using the following command:

openssl passwd -6 -salt 1 1

The 6 flag designates to use SHA512crypt hash, salt 1 specifies to use a salt of 1. Then we hash a password of 1. We then paste this after our malicious user.

Adding a password for our user

Now we need to copy this file back to the current /etc/passwd file. We’ll do this using the backup script command we tested earlier:

sudo /etc/mp3backups/backup.sh -c ‘cp file /etc/passwd’

After we run the command we can look in the /etc/passwd file to see that our user has been copied in.

Our malicious user has been added

With our user added, all we need to do is switch to the user and enter our password of 1.

Switching to Carson

We have root! Now all we need to do is go to the root directory and grab the flag.

Getting the root flag

We’ve completed the room! We’ve gone from an nmap scan to root access using public file access, hash cracking, backups, and privileged command execution. I hope this writeup could be helpful in completing the room! If you are still struggling please leave a comment or message me on Twitter and I will try my best to assist!

Lessons Learned:

• Always look at file permissions
• Borg backups can hold valuable information

Things I struggled with:

The backup program was the only thing I really had to figure out. I’ve never seen it before so having to look through the documentation took a few minutes. Other than that the room went smoothly.

Conclusion:

This room is pretty great! The vector for escalation gave a ton of variety. You could use the given way of using the commands or you could give yourself write access and do just about anything. I would recommend this room to someone who has done a few lessons and wants to do some beginner rooms.