[{"data":1,"prerenderedAt":438},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-cyborg-writeup":3,"surround-\u002F2025\u002Ftryhackme-cyborg-writeup":429},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":422,"_id":423,"_source":424,"_file":425,"_stem":426,"_extension":427,"_original_dir":428},"\u002F2025\u002Ftryhackme-cyborg-writeup","2025",false,"","TryHackMe - Cyborg","In this article, we walk through solving TryHackMe's Cyborg room step by step. We gain initial access to the system using credentials leaked from an encrypted Borg backup and then obtain root privileges through a misconfigured sudo setup.","2025-08-23T05:49:06.000Z","https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"2 min read",1.725,103500,345,{"type":20,"children":21,"toc":415},"root",[22,28,44,59,66,70,74,78,83,87,92,96,100,104,127,131,167,172,176,189,217,221,226,230,234,255,276,280,301,305,309,315,327,331,337,365,369,374,378,398,402,406,411],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fcyborgt8",[40],"nofollow",[42],{"type":33,"value":43},"10.10.19.186",{"type":23,"tag":29,"props":45,"children":46},{},[47,49],{"type":33,"value":48},"Attacker IP: ",{"type":23,"tag":50,"props":51,"children":56},"span",{"className":52,"id":54,"style":55},[53],"example-info","just-like-this","color: #EA5B6F",[57],{"type":33,"value":58},"10.10.48.44",{"type":23,"tag":60,"props":61,"children":63},"h2",{"id":62},"reconnaissance",[64],{"type":33,"value":65},"Reconnaissance",{"type":23,"tag":24,"props":67,"children":69},{"src":68},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F2.jpg",[],{"type":23,"tag":24,"props":71,"children":73},{"src":72},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F3.jpg",[],{"type":23,"tag":24,"props":75,"children":77},{"src":76},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":79,"children":80},{},[81],{"type":33,"value":82},"We have a default Apache page. Let's do a directory scan to dig deeper.",{"type":23,"tag":24,"props":84,"children":86},{"src":85},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":88,"children":89},{},[90],{"type":33,"value":91},"We encountered two pages. Let's examine them manually in depth.",{"type":23,"tag":24,"props":93,"children":95},{"src":94},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F6.jpg",[],{"type":23,"tag":24,"props":97,"children":99},{"src":98},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F8.jpg",[],{"type":23,"tag":24,"props":101,"children":103},{"src":102},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":105,"children":106},{},[107,109,117,119,125],{"type":33,"value":108},"When we go to the ",{"type":23,"tag":110,"props":111,"children":114},"code",{"className":112,"id":54,"style":113},[53],"color: #4DFFBE",[115],{"type":33,"value":116},"\u002Fetc\u002Fsquid\u002Fpasswd",{"type":33,"value":118}," directory, we find a name and an encrypted hash. We can tell that the algorithm is ",{"type":23,"tag":110,"props":120,"children":122},{"className":121,"id":54,"style":113},[53],[123],{"type":33,"value":124},"$apr1$",{"type":33,"value":126}," from the first characters of the hash.",{"type":23,"tag":24,"props":128,"children":130},{"src":129},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":132,"children":133},{},[134,136,142,144,150,152,157,159,165],{"type":33,"value":135},"We need to crack this hash. I will use the ",{"type":23,"tag":110,"props":137,"children":139},{"className":138},[],[140],{"type":33,"value":141},"hashcat",{"type":33,"value":143}," tool. Now let's add this hash to a ",{"type":23,"tag":110,"props":145,"children":147},{"className":146},[],[148],{"type":33,"value":149},".txt",{"type":33,"value":151}," file and crack it with the following command. (Our mode for ",{"type":23,"tag":110,"props":153,"children":155},{"className":154},[],[156],{"type":33,"value":124},{"type":33,"value":158}," is ",{"type":23,"tag":110,"props":160,"children":162},{"className":161},[],[163],{"type":33,"value":164},"1600",{"type":33,"value":166},")",{"type":23,"tag":168,"props":169,"children":171},"copy",{"code":170},"hashcat -m 1600 hash_apr.txt \u002Fusr\u002Fshare\u002Fwordlist\u002Frockyou.txt",[],{"type":23,"tag":24,"props":173,"children":175},{"src":174},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":177,"children":178},{},[179,181,187],{"type":33,"value":180},"As a result, we get the pair ",{"type":23,"tag":110,"props":182,"children":184},{"className":183},[],[185],{"type":33,"value":186},"music_archive:squidward",{"type":33,"value":188},". I tried to establish an SSH connection with this information, but unfortunately I was unsuccessful.",{"type":23,"tag":29,"props":190,"children":191},{},[192,194,200,202,208,210,215],{"type":33,"value":193},"After looking into it, we noticed that we could download a ",{"type":23,"tag":110,"props":195,"children":197},{"className":196},[],[198],{"type":33,"value":199},".tar",{"type":33,"value":201}," file from the ",{"type":23,"tag":110,"props":203,"children":205},{"className":204},[],[206],{"type":33,"value":207},"\u002Fadmin",{"type":33,"value":209}," page. Let's download and check it out. It's on the ",{"type":23,"tag":110,"props":211,"children":213},{"className":212},[],[214],{"type":33,"value":207},{"type":33,"value":216}," page, so it might be important. It probably has the archive Alex was talking about.",{"type":23,"tag":24,"props":218,"children":220},{"src":219},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":222,"children":223},{},[224],{"type":33,"value":225},"Now let's take a closer look.",{"type":23,"tag":24,"props":227,"children":229},{"src":228},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F12.jpg",[],{"type":23,"tag":24,"props":231,"children":233},{"src":232},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F13.jpg",[],{"type":23,"tag":29,"props":235,"children":236},{},[237,239,245,247,253],{"type":33,"value":238},"Upon examination, we find a ",{"type":23,"tag":110,"props":240,"children":242},{"className":241},[],[243],{"type":33,"value":244},"README",{"type":33,"value":246}," file in ",{"type":23,"tag":110,"props":248,"children":250},{"className":249},[],[251],{"type":33,"value":252},"\u002Fhome\u002Ffield\u002Fdev\u002Ffinal_archive",{"type":33,"value":254},". From this, we understand that this directory is a borg backup repository.",{"type":23,"tag":29,"props":256,"children":257},{},[258,260,266,268,274],{"type":33,"value":259},"On the website, we learned about the ",{"type":23,"tag":110,"props":261,"children":263},{"className":262},[],[264],{"type":33,"value":265},"borg",{"type":33,"value":267}," tool and the basics of its usage. We now know what borg is and that we have an encrypted archive with borg. We have the possible pair ",{"type":23,"tag":110,"props":269,"children":272},{"className":270,"id":54,"style":271},[53],"color: #efb11d",[273],{"type":33,"value":186},{"type":33,"value":275},", and when we try them, the archive data opens.",{"type":23,"tag":24,"props":277,"children":279},{"src":278},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":281,"children":282},{},[283,285,291,293,299],{"type":33,"value":284},"The user backed up all content in the ",{"type":23,"tag":110,"props":286,"children":288},{"className":287},[],[289],{"type":33,"value":290},"\u002Fhome",{"type":33,"value":292}," directory. Upon closer inspection, we see the pair ",{"type":23,"tag":110,"props":294,"children":296},{"className":295,"id":54,"style":113},[53],[297],{"type":33,"value":298},"alex:S3cretP@s3",{"type":33,"value":300},".",{"type":23,"tag":24,"props":302,"children":304},{"src":303},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F15.jpg",[],{"type":23,"tag":24,"props":306,"children":308},{"src":307},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F16.jpg",[],{"type":23,"tag":60,"props":310,"children":312},{"id":311},"initial-access",[313],{"type":33,"value":314},"Initial Access",{"type":23,"tag":29,"props":316,"children":317},{},[318,320,326],{"type":33,"value":319},"We establish our connection using ssh as ",{"type":23,"tag":110,"props":321,"children":323},{"className":322},[],[324],{"type":33,"value":325},"alex",{"type":33,"value":300},{"type":23,"tag":24,"props":328,"children":330},{"src":329},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F17.jpg",[],{"type":23,"tag":60,"props":332,"children":334},{"id":333},"privilege-escalation",[335],{"type":33,"value":336},"Privilege Escalation",{"type":23,"tag":29,"props":338,"children":339},{},[340,342,347,349,355,357,363],{"type":33,"value":341},"We performed a simple manual test and found that the user ",{"type":23,"tag":110,"props":343,"children":345},{"className":344},[],[346],{"type":33,"value":325},{"type":33,"value":348}," could run the ",{"type":23,"tag":110,"props":350,"children":352},{"className":351},[],[353],{"type":33,"value":354},"\u002Fetc\u002Fmp3backups\u002Fbackup.sh",{"type":33,"value":356}," script without requiring a password using ",{"type":23,"tag":110,"props":358,"children":360},{"className":359},[],[361],{"type":33,"value":362},"sudo",{"type":33,"value":364}," privileges.",{"type":23,"tag":24,"props":366,"children":368},{"src":367},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F18.jpg",[],{"type":23,"tag":29,"props":370,"children":371},{},[372],{"type":33,"value":373},"Let's examine this script.",{"type":23,"tag":24,"props":375,"children":377},{"src":376},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F19.jpg",[],{"type":23,"tag":29,"props":379,"children":380},{},[381,383,389,391,396],{"type":33,"value":382},"As a result of our investigation, we analysed that this script can accept a parameter with ",{"type":23,"tag":110,"props":384,"children":386},{"className":385},[],[387],{"type":33,"value":388},"-c",{"type":33,"value":390}," and execute the parameter in the system.Then we give this script a command with ",{"type":23,"tag":110,"props":392,"children":394},{"className":393},[],[395],{"type":33,"value":388},{"type":33,"value":397}," and can elevate our privileges because we have sudo privileges on this script.",{"type":23,"tag":168,"props":399,"children":401},{"code":400},"sudo \u002Fetc\u002Fmp3backups\u002Fbackup.sh -c \"\u002Fbin\u002Fbash\"",[],{"type":23,"tag":24,"props":403,"children":405},{"src":404},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F20.jpg",[],{"type":23,"tag":29,"props":407,"children":408},{},[409],{"type":33,"value":410},"And yes, our root shell is open. But if you notice, it is not returning the output of the commands we wrote (this seems to have been set by the administrator). When we open a reverse shell, we can get the output of our commands.",{"type":23,"tag":24,"props":412,"children":414},{"src":413},"https:\u002F\u002Fhackpaper-image-server.netlify.app\u002Fimages\u002Fblogs\u002Ftryhackme-cyborg-writeup\u002F21.jpg",[],{"title":7,"searchDepth":416,"depth":416,"links":417},4,[418,420,421],{"id":62,"depth":419,"text":65},2,{"id":311,"depth":419,"text":314},{"id":333,"depth":419,"text":336},"markdown","content:posts:2025:tryhackme-cyborg-writeup.md","content","posts\u002F2025\u002Ftryhackme-cyborg-writeup.md","posts\u002F2025\u002Ftryhackme-cyborg-writeup","md","\u002Fposts",[430,434],{"_path":431,"title":432,"date":433},"\u002F2025\u002Ftryhackme-overpass-writeup","TryHackMe - Overpass","2025-08-21T12:23:20.000Z",{"_path":435,"title":436,"date":437},"\u002F2025\u002Ftryhackme-startup-writeup","TryHackMe - Startup","2025-08-25T05:33:27.000Z",1776934252086]