Cyborg

A box involving encrypted archives, source code analysis and much more.

Room Link: https://tryhackme.com/room/cyborgt8 By @fieldraccoon

---

Lets get Started…

1. Nmap

So first start with a simple nmap scan to know what ports are open and what services are running on Target_Machine.

$ sudo nmap -T4 -sC -sS -A <machine_ip> >> nmap.out 

So ports 22 & 80 are open. Lets visit the webpage on port 80 and it was just a default Apache2 webpage. Didn’t give out much.

2. Gobuster

So lest brute force possible directories on webserver publicly accessible

$ sudo gobuster dir -u 10.10.46.127 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -o dir.out

We got /admin and /etc directory lets explore them and > Boom!! we have something interesting,A Password hash, Save it for later use

Further more poking found a public archive.tar file.

3. Password Cracking

So we found a hash before lets crack it. John the Ripper is a great tool for it.

$ john --fork=4 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

4. Research

Now lets take a look at archive.tar file, extract it with tar

$ tar -xf archive 

Exploring the extracted files revealed a Readme file.

After a little research I found about borg, what it is and how it is used. So as its borg archive unpack it using borg to a directory unziped.

$ borg mount home/field/dev/final_archive unziped

It seems it requires a password, lets try enter the one we found earlier, And dig for something useful. There we have it a username and password. Lets ssh in target machine.

5. Gaining Access

ssh into target with the username and password found and there we have it our user flag.

6. Privilege Escalation

Check if alex user is in sudoers list

$ sudo -l

Seems like there is nopasswd sudo access on backup.sh file. Lets exploit it.

7. Source Code Analysis

Lets read whats happening in backup.sh

And script has a small chunk of code which seems to take input with a flag c and echo it, basically it can run bash commands.

With that Cyborg is rooted.