Tryhackme Cyborg — Walkthrough

let’s start with a nmap scan

We see that port 80 is open. Let’s dirb to get all the directories

We see that it has a admin page

Let’s download the archive

here is what we found
it seams like they are using a tool called borg

learn about borg : https://ostechnix.com/backup-restore-files-borg-linux/

it need a password to open lets search for the password. earlier in dir scan we also got a /etc folder form there we got a passwd file
lets crack it

We got the password now let’s exctract the borg backup

we got the ssh password. now let’s ssh to the server

Using sudo -l we can see that backup.sh runs as sudo

on viewing the source code we can see that we can run any command as sudo using -c as a flag
or we can just edit the file(chmod +w file)

sudo /etc/mp3backups/backup.sh -c whoami

with this we can access root privilege to the machine.