Tryhackme:Bounty Hacker Writeup

You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!

#Enum/Recon

Command used: nmap -A <machine IP>

From the nmap scan result we came to know that two ports are open and they are, 21/tcp ftp and 22/tcp ssh,80/tcp http. Let’s check out port 80 on the browser.

There 3 ports open on the box:
21/ftp- vsftpd 3.0.3 (Anonymous FTP login allowed)
22/ssh- OpenSSH 7.2p2
80/http- Apache/2.4.18

Let go to the browser and check the web page first. But there is nothing interesting.

While performing nmap scan including vulnerability scan we found that anonymous login is allowed on ftp service. It means that we can login as name anonymous without any password.

Using command: ftp MACHINE_IP

Name: anonymous

We are logged in successfully. Now check for the files and folders available on ftp server using the command ls. There are two files named as locks.txt and task.txt

Using get command save the files to the local system and read the content of files using cat command.

Reading the task.txt file we got the answer of third question.

Reading the locks.txt file. The file contains certain strings that looks like password strings. Looking at the services available to us we can figure out what can be bruteforced with the text file.

Using the hydra tool, username that we found in task.txt file and the password list i.e. locks.txt we can bruteforce the password.

Using the command: hydra -l username -P locks.txt MACHINE_IP -t 4 service

After successful completion of attack we got the password which is the answer to fifth question.

Using the username and password connect to the service. Now we have the user access on the system . Change directory to /home/username/Desktop and here we will find the user.txt flag.

Now we need to escalate our privileges. Using command sudo -l find out if we can use sudo to escalate our privileges. We can use sudo command on /bin/tar.

Go to gtfobins and check if we can exploit /bin/tar directory.

Shell

It can be used to break out from restricted environments by spawning an interactive system shell.

  • tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Follow the exploit given in gtfobins to escalate the privileges. After running the command given in gtfobins we will directly get root privileges. Take the root.txt file.

please everyone join my telegram channel :https://t.me/hackerwheel

Hackerwheel
Change the world
https://t.me/hackerwheel

happy hacking……….

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics