TryHackMe | Bounty Hacker
You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the…
I will try my best here to not include any of the answers in the tasks section of the tryhackme room, but remember the answers you will never see here is the root and user flags.
Anyway, let’s continue.
Firstly let’s start as always with our nmap:
As we can see here we have a web server on port 80, an FTP server on port 21 and a REDACTED server on port 22.
Naturally the first thing I want to do here is check the FTP server first and see if it allows anonymous login and if so, what is on it.
Notice this time our nmap couldn’t read the directory listings and so we must manually examine this (as we always should!).
So let us manually examine the FTP server:
Awesome, so we have 2 files here we want to get to our system so let’s do just that:
Now to check out the files.
First the task.txt:
And now the locks.txt:
Okay so let’s just take a moment to summarise what we have here.
1: A possible username.
2: A list of possible passwords.
With that in mind we now want to check out the web server and see if we can find anything interesting or additional there:
Okay awesome, upon checking the very first page we get 4 other potential usernames.
I checked for additional hidden comments with the “View Page Source” and found none.
So with that in mind let’s just run a gobuster to find any additional directories:
And we found nothing useful so now the next thing to try is hydra!
First I want to put all of the usernames we found so far to a text file so we can use it with the possible password list we found earlier.
NOTE: Put the usernames in the order you found them as this is likely to be relevant to the type of CTF we are doing.
First the file containing our usernames:
And now that’s done the only thing to do is run hydra against the REDACTED server:
And we instantly get a match back:
Now we have the credentials for the user we can login as them and start our usual enumeration process:
With that in mind let’s continue onward.
Firstly the users:
Just the one it seems so that is cool.
Now we are going to try sudo -l:
Okay so as you can see here it asked for the users password, well we tried using the password we found earlier with hydra to login to the machine as the users password, and it worked!
Next the system-wide crontab:
Also nothing. So now I want to check out this users directory for anything interesting, however you will notice we start automatically in the directory /home/user/Desktop.
This is because that is where the user.txt is located:
So let’s get the user flag:
Now we noticed we have tar that can be run as root user, and we know our user can access the sudo command so.
With that in mind I’m going to head over to GTFOBins and search for a tar exploit:
And we found one! So now to try this on the machine:
And success! We are now root, the only thing that is left here now is to get the root flag.
Which I will assume you know here it is, if not thats fine its located here:
And we are done! Congratulations and thank you for reading :)
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e