Feb 3, 2021
Cyborg
Today, we are going to look at the new room created by fieldraccoon,(Link:https://tryhackme.com/room/cyborgt8)
So, let’s get started with our challenges :)
Let’s deploy the machine and head straight to the main tasks :-
Let’s start nmap and see how many ports are open :
Now that we know about the ports, let’s start gobuster:
gobuster showed two interesting folder, let’s see what’s inside them :
I checked the source code of admin and there was nothing special in it, So, I surfed around in the Admins tab and saw this:-
Message from Alex looks interesting.
I checked the source code again but nothing special was there :(
Archive section has two options. Listen and Download
Clicking on Listen brings you back to the Admin’s page but clicking on Download will download a file ‘home’.
Okay, enough about admin page. Now, let’s navigate to the /etc directory and see what’s in there
That’s interesting :). Let’s move on:
So, we have got two files. Let’s what’s inside them.
We see that we have a hash to crack in passwd file. It’s an Apr1 hash.
I have used hashcat for this. You guys can also use john.
Good! Now that we have cracked this hash we don’t know where to use this password yet but we’ll see :)
Now that we have surfed through the website, let’s see what’s inside the ‘home’ folder we downloaded earlier.
So let’s navigate to this folder:
After going through several directories you will find some interesting files. I was not able to decrypt .5 format files so I focused on the README file and config file and found something useful.
I was so busy in decrypting the hashes that I forgot to read the README file which was the main hint all along :(
To tell you guys in brief, we need to make use of Borg to help us decrypt the files.
For those who don’t have Borg installed, Simply write this on your terminal:-
sudo apt install borgbackupNow, let’s make use of Borg.
If you read the documentation of Borg you will know how to use it but for those of you who are as lazy as me, we need to mount the borg repository in a directory. Practically, it’s something like this:
First, you need to make a directory:
After that we need to use Borg:
This command will mount all the encrypted files in the folder you created. In my case, It was Mounted.
(Due to some issue I had to recreate the directory with the name Archive)
It will ask for a passphrase. Now we know where to use the cracked hash :)
Now, let’s dive in the Archive folder and see what’s inside:
After some digging, I found a username:password
From my experience(which is not a lot actually lol) it’s a ssh username and password.
So, let’s try to ssh our way in :
Superb! We are in the system. But not as root though :(
Now let’s try to find our first flag.
Fairly easy :). But now we need the root flag. Let’s what we can do.
As we can see we have the root access to backup.sh file. It’s a bash file. Let’s edit this bash file to gain root access.
As you can see, we have ‘no write permission’. So, let’s change that by typing:
chmod 777 /etc/mp3backups/backup.shAfter that let’s try to open the file again with nano editor:
You will notice that now we can edit the bash file. All you need to do is add this command to this file like I did:-
/bin/bash -i
And Voila, we have root access! Now for our final flag:
Truly a fun challenge, if you are unclear about some parts of this challenge I highly recommend reading through that particular topic as you would need a fair enough knowledge of Linux to complete this challenge. Hope you had fun :)
