TryHackMe - Bounty Hacker

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

TRYHACKME

6/13/20243 min read

Living up to the title

Deploy the machine

Started up the target machine.

Find open ports on the machine

Here I ran the standard initial nmap command nmap -T4 -sC -sV -Pn -oN ~/Documents/nmap/initial 10.10.208.201 to find me some open ports on the target machine.

Three open ports showed up - port 21, 22 and 80.

Lets look into a bit further... browsed to http://10.10.208.201 and presented with the following web page.

Viewed the source of the page and didn't find anything too interesting.

Ran gobuster using command gobuster dir -u http://10.10.208.201 -w /usr/share/wordlists/dirb/common.txt to see if we can find any other pages on the web server. Found a couple.

Now lets checkout the ftp server (as the TryHackMe hint says to do). Logged in with defaults and server states it is anonymous only.

Perfect, lets try again with username anonymous. We're in.

Lets run a dir to see if we have any files or folders to view.

Two files can be seen. Lets grab them by running a get command.

Who wrote the task list?

If we open up the task.txt file we downloaded from the ftp server we see it signed off by "lin"

What service can you bruteforce with the text file found?

Here we check the hint which says to look at port 22 which we discovered as SSH.

So we can try brute force on ssh with username lin and each of those passwords.

What is the users password?

Hint says that Hydra may assist. Open up Hydra gui and add the target in, add port 22 in and choose the protocol as ssh.

On the password tab we will add lin as the username and select locks.txt as the password file.

Now over to the start tab and hit start.

That was quick, password found.

user.txt

So lets ssh into the machine using the credentials we've found.

Straight away by running ls command we see that user.txt is on the desktop. View the contents and find the string THM{CR1M3_SyNd1C4T3}

root.txt

For this one I guess we will need to elevate our privileges to view /root.

If we run sudo -l we can see what access the user lin has.

Now lets go to GTFOBins and look for if there is anything using tar to escalate privileges.

Sure enough there is: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Run that and instantly we have the access we need to browse to /root. Here we find root.txt and inside the string THM{80UN7Y_h4cK3r}

Site links

Home

Blog

Videos

Privacy Policy

Terms of Use