TryHackMe Bounty Hacker Writeup
Introduction
Howdy, today I will be doing a walkthrough of BountyHacker on TryHackMe. To complete this room you will need a basic understanding of Linux, Hydra, Nmap and some privilege escalation on misconfigured systems (GTFO Bins).
Links
Cowboy Hacker Lab -https://tryhackme.com/room/cowboyhacker
GTFOBins -https://gtfobins.github.io/
Hydra manpage -https://www.mankier.com/1/hydra
Nmap manpage -https://linux.die.net/man/1/nmap
FTP manpage -https://linux.die.net/man/1/ftp
For this write-up I will be providing the questions, and answers. I ask that you use the answers only if needed, and strive to understand the underlying material. As an additional note, you can do this lab with your own machine, or TryHackMe’s attack box.
Deploy the Machine, and also deploy the attack box VM, or connect to the TryHackMe network with your openvpn credentials. Once everything is deployed, we need to use Nmap to scan the machine, and see what open ports are available.
For this lab I am opting to do nothing fancy, and just running “nmap <machineip>”
Notice the above output. We have 3 ports open. 21,22, and 80 running FTP, SSH, and HTTP respectively. For a fun easter egg navigate to the HTTP server. Looking at the open ports. I feel as if we should look at FTP first. FTP servers can be vulnerable in a number of ways.
Using the terminal, we can attempt to connect to ftp using the command “ftp <machineip>”
Notice in the screenshot I simply hit enter when prompted for an username, it defaulted to root. I was given an error message. “This FTP server is anonymous only”. This tells me I can only use the “anonymous” user account. Lets try connecting again and see what happens. Type “ftp <machineip>” hit enter, and when prompted to enter a username, type “anonymous”.
Notice now we are logged into the FTP server as anonymous. Lets get a list of any files in the by typing “dir”
Two files resides on the FTP server. “locks.txt” and “task.txt”. We can download them with get.
“get locks.txt” “get task.txt”. This will download the files to your local computer, or the attackbox vm you are using. We are done with the FTP server, so type “bye” to exit the server.
Lets view the files. Type “cat locks.txt” it appears as if this is a password list. It may come in handy later. “cat task.txt” leads us to our first question answer, and some more information to continue to attempted attack on this machine.
Question: Who wrote the task list?
Answer: Lin
Question: What service can you bruteforce with the text file found?
Answer: SSH (Secure Shell)
Given that we have a potential ssh username, and a file with passwords. Lets attempt to gain access to SSH. We can do this with Hydra. Hydra is a very powerful network login cracker that supports a variety of services. To attempt to crack the SSH login with hydra we use this command. “hydra -l lin -P locks.txt ssh://machineip”
Question: What is the users password?
Answer: RedDr4gonSynd1cat3
After successfully cracking the password, we can attempt to login with SSH by typing “ssh USERNAME@machineIP” when prompted for the password use what hydra found.
Upon logging in, type ls, and notice user.txt is located in our present working directory. Use cat to view it, then answer the question.
Question: User.txt
Answer: THM{CR1M3_SyNd1C4T3}
For our final question, we need to get creative. We need to find the flag in “root.txt”. Based on the filename it is safe to assume we need access to the root account, but lets verify. Attempting to use sudo to access the root directory doesn’t work. If we do a “sudo -l” we get the following results.
Analyzing the output, you may notice that the user lin will run /bin/tar as root. Lets use this to get a root shell. Looking on GTFOBins we find a few interesting commands for tar. Lets use this one.
Remember to prefix it with sudo. Upon running it you will see a # symbol on the terminal. Congrats, you now have root!
Now we simply change directory to /root/ then cat root.txt.
Question: root.txt
Answer: THM{80UN7Y_h4cK3r}
I hope you enjoyed this walkthrough. Any comments/suggestions for future ones, drop me a line!
