tryhackme: bounty hacker [writeup]

Hey! 👋

Here’s my writeup for Bounty Hacker, an easy room on TryHackMe.

Enjoy!

First of all, we’re running a simple nmap scan:

nmap -p- -A -T4 10.10.16.17

We can see 3 open Ports:

21 FTP | 22 SSH | 80 HTTP

We can also see, that Anonymous FTP login is allowed.

So — let’s try logging in:

We’re in! Check the directory with ls and you’ll see 2 very interesting files.

Let’s go ahead and download them to our machine for further inspection:

Great. Take a look inside them:

locks.txt
task.txt

locks.txt obviously looks like a password file & task.txt contains a username. Inserting the username into the question, it just proves to us that lin is indeed a valid username:

The nmap scan also revealed, that there is SSH open on Port 21. Since we got a username & a password list, let’s try to bruteforce it using THC Hydra:

hydra -l lin -P locks.txt 10.10.10.16.71 -t 4 ssh

Aaand we found valid credentials! Don’t forget to answer the questions while we’re at it:

Now, let’s try to log in with the found credentials:

It worked! We gained user access now! Grab the user flag:

And paste it in:

Nice!

Our next goal is root, but where do we start? The first thing I normally do is to check which commands the current user has access to. Here’s how we do it:

sudo -l

Enter the previously found password

We can see, that we can run /bin/tar as root.

Let’s check gtfobins if there are any exploits available for tar:

And yes, there is one available. You can find it here.

Scrolling to the end, we come across this command fitting our situation:

Let’s give it a shot:

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh

Success! Running whoami shows that we are now root! The only thing left to do is to grab the root flag:

And to paste it into the qestion:

We did it! We completed the Bounty Hacker room.

In conclusion, this was a nice & easy room that didn’t take long.

In this approach, we ignored the website on port 80 and the enumeration of it, since we instantly found a valid way in. This is very rare and you shouldn’t do it, especially in CTFs stuff like this might just be a rabbit hole and you’re stuck wasting time. So always do all of your enumeration!

This was my first writeup and I hope you enjoyed it, feel free to leave feedback.

Cheers!