Cyborg

Writeup of the Cyborg room on TryHackMe.

CyborgTryHackMe

1. I visited the given IP 10.201.19.200 and got a default Apache webpage as follows. I tried enumerating it by viewing it's source code but found nothing.

2. 
3. I ran a TCP Scan via Nmap on the IP and found ports 22,80 open. After that I ran a deep scan and got the following results.

4. root@ip-10-201-76-18:~/Desktop# nmap -sC -sV 10.201.19.200 -p 22,80
   Starting Nmap 7.80 ( https://nmap.org ) at 2025-09-24 04:07 BST
   Nmap scan report for 10.201.19.200
   Host is up (0.00013s latency).
   
   PORT   STATE SERVICE VERSION
   22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
   | ssh-hostkey: 
   |   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
   |   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
   |_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
   80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
   |_http-server-header: Apache/2.4.18 (Ubuntu)
   |_http-title: Apache2 Ubuntu Default Page: It works
   MAC Address: 16:FF:F9:19:7D:37 (Unknown)
   Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
   
   Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
   Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds

5. I found nothing of use in the Nmap scan which could help me gain an insight into how I could get into the system.

6. I ran a directory scan via Gobuster and found the following subdirectories.

7. /admin
   /etc
   /server-status

8. Upon visiting the /admin subdirectory I got the following webpage.

9. 
10. This seemed like some aspiring musician's portfolio, I looked around the website searching for some endpoint to compromise the target.

11. I visited the Admins page and found the following text.

12. 
13. This gave me a lot of information about the users that might be present on the system. The last message also conveyed something about Squid Proxy and some config file along with a backup named music_archive.

14. I visited the Archive dropdown on the navigation in the web page and downloaded an archive.tar file.

15. I extracted it using tar -xvf archive.tar and got the following contents inside it.

16. 

17. I spent a lot of time going through the contents of these files and folders. I opened the README and found the following text.

18. 
19. I visited the Borg Backup Repository link as given and learnt about extracting backup repositories using borg. https://borgbackup.readthedocs.io/en/stable/usage/extract.html

20. Here you can extract the contents of an archive and get the files and subdirectories present in it. I had never come across Borg or any similar tool hence I was stuck here for a long time due to which i had to refer a writeup to solve this.

21. I needed a passcode to extract the archive hence I checked the /etc subdirectory.

22. 
23. This seemed interesting.

24. 

25. There was a passwd file and a squid.conf flie here. Remember the mention of Squid Proxy on the Admin page of the music website a few steps ago.

26. The contents of squid.conf didn't really have much information to use.

27. 

28. Hence I downloaded the passwd file and found the following hashed credential.

    music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

29. I tried cracking the password using John The Ripper and got the following result.

30. 
31. The password was cracked.

32. I installed Borg using apt install borgbackup.

33. I extracted the final_archive repository obtained from archive.tar a few steps back using the following command. Here the repository contained backups and inside that I wanted to extract a specific archive known as music_archive

    borg extract /home/field/dev/final_archive::music_archive

34. Remember music_archive was mentioned in the Admin Shoutbox on the webpage a few steps back.

35. When the passcode was asked for I used the one I found after cracking the passwd file using John.

36. After extracting the archive there was a new subdirectory named /alex in the /home directory.

37. 
38. I enumerated the directory and found the following note in the Documents.

39. 
40. I found the password for the user alex which could be used to gain initial foothold on the target.

Initial foothold and Root Access

1. I used the password obtained in the previous step and connected to the target via SSH as shown below.

2. 

3. The user flag was found as follows.

4. I started enumerating the target looking for potential endpoints to escalate my privileges and gain root access.

5. I ran sudo -l to check the commands I could run with sudo and I got the following output.

   
6. I checked the backup.sh file and changed it's permissions.

7. 
8. I overwrote the file's code with /bin/bash -p to run the bash program as privileged mode and get root access.

9. I ran the backup.sh file using sudo ./backup.sh and gained root privileges.

10. I checked the root directory and obtained the root flag as follows.

    

Hope this writeup proved helpful to you! More of these coming soon in the future. Happy Hacking!