TryHackMe Cyborg Walkthrough: Squid, Borg Backups & Sudo to Root (Step-by-Step)"
TryHackMe Cyborg Walkthrough: Squid, Borg Backups & Sudo to Root (Step-by-Step)
Cyborg is an Easy TryHackMe Linux room that chains together a genuinely satisfying attack path: enumerate a web server, loot a leaked Squid proxy password file, crack an APR1 (Apache MD5) hash, use that password to unlock an encrypted Borg backup, recover a user's SSH credentials, and finally escalate to root by abusing a command-injectable script the user can run with sudo.
The room teaches patient enumeration and an important lesson: an unfamiliar file type (a Borg repo) usually just needs the right tool. This guide shows the commands and example output at every stage.
Output below is illustrative — your IP, timing, and the box state will differ. Cracked passwords, credentials, and flags are redacted (
[REDACTED]/flag{...}) so you still earn them. Replace<IP>with your target IP.
Tools you'll use: rustscan, nmap, gobuster, hash-identifier, hashcat/john, borgbackup, and ssh.
Task 1 — Recon
Step 1 — Fast port scan with Rustscan
Rustscan races through all ports quickly so you know where to focus:
Step 2 — Detailed scan with nmap
Feed those open ports into nmap for service/version detection:
If nmap shows the ports as
filteredwithno-response, the box is still booting or your VPN dropped — wait a minute and re-run. We have two open ports: SSH (22) and a web server (80).
Task 2 — Web Enumeration
Open http://<IP>/ in a browser, then brute-force directories with Gobuster:
Two directories matter: /admin/ and /etc/. An /etc/ folder served over HTTP is a big red flag — system config has been exposed.
Visiting /admin/ shows an admins page mentioning a few names (Josh, Adam, Alex) and references a backup archive — note the names and the hint about a backup.
Task 3 — Loot the Squid Config (Leaked Hash)
Browse into /etc/ and you'll find a squid/ folder with directory listing enabled, containing passwd and squid.conf:
squid.conf is a Squid proxy basic-auth config pointing at a password file:
And passwd leaks a username and a password hash:
Reading the results: the username is music_archive, and the $apr1$ prefix marks this as an Apache APR1-MD5 hash. Keep that username in mind — it's also the name of the Borg archive later.
Task 4 — Crack the Hash
Identify the hash, then crack it. $apr1$ is hashcat mode 1600 (John also auto-detects it):
Example hashcat output:
The hash cracks to the passphrase squidward — the password for music_archive, which is also the Borg passphrase you'll need next.
Task 5 — Grab the Borg Backup from /admin
On http://<IP>/admin/, the Archive → Download link gives you an archive.tar. List it before extracting:
Extract it (the tar itself is not encrypted):
So final_archive is a Borg Backup repository — encrypted, deduplicated backup storage. We need the borg tool to read it.
Task 6 — Extract the Borg Repo
Install Borg, then list and extract the repo. The archive name is music_archive (the username from the hash), and the passphrase is the password you just cracked:
This drops a home/ directory containing user Alex's home folder. Check Documents:
There are Alex's SSH credentials. (There's also a Desktop/secret.txt with a "well done" note — a nice red herring.)
Task 7 — SSH In & Get the User Flag
Task 8 — Privilege Escalation to Root
Always start privesc by checking your sudo rights:
Alex can run /etc/mp3backups/backup.sh as root with no password. Read the script:
The important lines parse a -c option and then execute whatever you pass:
Because the script runs as root and executes your -c argument, this is a command injection straight to root.
Method A — read the flag directly
Method B — get a full root shell (SUID bash)
Set the SUID bit on /bin/bash, then launch a privileged shell:
🎉 Box rooted!
Summary: The Attack Path
| Stage | Tool / Technique | Result |
|---|---|---|
| Recon | rustscan -> nmap | SSH (22) + HTTP (80) |
| Web enum | gobuster | Found /admin/ and /etc/ |
| Loot | Squid passwd / squid.conf | music_archive + APR1 hash |
| Crack | hashcat -m 1600 / john | Borg passphrase |
| Backup | borg extract | Alex's SSH credentials |
| Access | ssh | user.txt |
| Privesc | sudo script -c command injection | Root + root.txt |
What You Learned (and How to Defend It)
- Never expose config or password files via the web root. A directory-listed
/etc/squid/leaked everything an attacker needed to start. - APR1-MD5 is weak against wordlists —
rockyou.txtcracks common passwords instantly. Use long, unique passphrases. - Backups are loot. A downloadable Borg repo plus a reused passphrase exposed a full home directory and live credentials. Encrypt backups with strong keys and keep them off public servers.
- Audit
sudorules carefully. ANOPASSWDscript that runs user-supplied input (-c) is effectively a gift of root. Never pass user input to a shell, and scope sudo to fixed, safe commands.
Handy Reference Commands
For educational use only. TryHackMe is a legal, sandboxed lab. Never use these techniques against systems you don't own or aren't explicitly authorised to test.
Tags
Keep Reading