Hi!
This is my very first write-up, thank you for being a part of this moment. Today we’ll be going through the “Bounty Hacker” CTF on TryHackMe.
A hunter and a hacker have a crucial detail in common. They gather relevant information which can reveal an attack vector to their target. I started my hunt with an nmap scan, short for network mapper which is pretty self-explanatory.
After running this nmap scan I notice HTTP, a foundational communication protocol used across the internet. SSH, or secure shell which is used to remotely access computers. Lastly FTP, or file transfer protocol which is used to upload and download files to a computer from a server and vice versa.
Immediately, I see FTP allowed anonymous login, I keep a note of that while I visit the web site being hosted on port 80 by visiting the IP address of our target machine and I came across ..
Nice! Here we can see our objective is to get root access to the system, which is synonymous to having administrator account privileges. If you own that, you own the machine. Referring to my notes I recall the FTP anonymous log in that is allowed so I decided that was the best place to begin the hunt.
When prompted for a username I wrote “anonymous” and a successful log in was achieved! I proceeded to use “ls -la” to list any files in the present directory as well as the permissions I had to what could be accessed. I see we have two files we can read, locks.txt and task.txt. I use the “get” command to transfer the files from that computer to my own. Lets open them!
This seems to be a word list we can use to possibly brute force a login somewhere!
This appears to be a message written by someone named Lin. I couldn’t make anything out of the actual message but after some light pondering and organizing the new findings in my notes, I realize we have an SSH port open, a word list, and a username! I created a file named “users.txt” containing usernames root, admin, and lin which is who wrote the task.txt file we saw earlier.
Let’s crank up ncrack, a password cracking tool! All we have to do is specify a user list, password list, IP address and the port the service is running on.
Awesome!! it seems we have a match for lin’s SSH credentials, lets go! We log in with the ssh command followed by username@address.
We have achieved user status on our target! All we need to do from here is escalate our privileges from user to root. After we own the machine we can leave with our bell peppers and beef! The first command I run is “sudo -L” which lets me know the reach of what I can do with lin’s account.
Here we see as lin I can run commands in the /bin/tar directories as root, perfect! I make a note of this and visit gtfobins which is a privilege escalation tool that leverages user misconfiguration. I input the variables specific to my scenario which is access through the /bin/tar path and found this.
Amazing! We have successfully elevated our privileges, owned the machine and grabbed our final flag located in the root.txt file. Bounty fulfilled,
See you later space cowboy!
