Oct 29, 2020
tryhackme: bounty hacker [writeup]
Hey! 👋
Here’s my writeup for Bounty Hacker, an easy room on TryHackMe.
Enjoy!
First of all, we’re running a simple nmap scan:
nmap -p- -A -T4 10.10.16.17
We can see 3 open Ports:
21 FTP | 22 SSH | 80 HTTP
We can also see, that Anonymous FTP login is allowed.
So — let’s try logging in:
We’re in! Check the directory with ls and you’ll see 2 very interesting files.
Let’s go ahead and download them to our machine for further inspection:
Great. Take a look inside them:
locks.txt obviously looks like a password file & task.txt contains a username. Inserting the username into the question, it just proves to us that lin is indeed a valid username:
The nmap scan also revealed, that there is SSH open on Port 21. Since we got a username & a password list, let’s try to bruteforce it using THC Hydra:
hydra -l lin -P locks.txt 10.10.10.16.71 -t 4 ssh
Aaand we found valid credentials! Don’t forget to answer the questions while we’re at it:
Now, let’s try to log in with the found credentials:
It worked! We gained user access now! Grab the user flag:
And paste it in:
Nice!
Our next goal is root, but where do we start? The first thing I normally do is to check which commands the current user has access to. Here’s how we do it:
sudo -l
We can see, that we can run /bin/tar as root.
Let’s check gtfobins if there are any exploits available for tar:
And yes, there is one available. You can find it here.
Scrolling to the end, we come across this command fitting our situation:
Let’s give it a shot:
sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
Success! Running whoami shows that we are now root! The only thing left to do is to grab the root flag:
And to paste it into the qestion:
We did it! We completed the Bounty Hacker room.
In conclusion, this was a nice & easy room that didn’t take long.
In this approach, we ignored the website on port 80 and the enumeration of it, since we instantly found a valid way in. This is very rare and you shouldn’t do it, especially in CTFs stuff like this might just be a rabbit hole and you’re stuck wasting time. So always do all of your enumeration!
This was my first writeup and I hope you enjoyed it, feel free to leave feedback.
Cheers!
