Hello everyone.
It’s Maruf, back again with another writeup.
This time I’m gonna be solving the “Bounty Hacker” from “Try Hack Me”.
So, without any more delay, let’s jump into the task.
The target IP for me is 10.10.207.40 and the first thing we need to do is to perform a NMAP scan on our target.
To do that, I’m using the command:
nmap -A <Target_IP> -o <Result_Output_Path>
As you can see here,
We have Three ports open on our target machine.
The ports are as follows:
*21 for FTP Service
*22 for SSH Service
*80 for HTTP Service
Let’s see if there is anything interesting in the website running over port 80.
It’s just a simple webpage. Nothing seems suspicious.
Let’s check the source code.
Nope, we don’t have anything interesting here as well.
Let’s move on to the FTP Service.
From our nmap scan result, we have got a very intersting information here.
And this interesting thing is,
The FTP of this website supports annonymous login.
So, let’s give it a try.
Okay, as you can see here, I’ve logged into the server via anonymous ftp login.
And we found two text files there.
One is “locks.txt” and the other one is “task.txt”.
But unfortunately we couldn’t read those files via ftp as we don’t have permisiions to run most of the basics command on this ftp service of this machine.
So, I had to download the files to my machine.
And then I was able to read those files.
As you can see here,
The ‘task.txt’ is about two tasks given to someone by the person named “lin”.
And the file ‘locks.txt’ contains some text. These seems more like passwords or something like that.
If we count these words as passwords from the file “locks.txt”, then the name ‘lin’ could be a potential username.
And if these two of the predictions are true, then most probably we can get into the server via SSH Service by using the username “lin” and one of the words as password from “locks.txt”
Let’s give it a try.
So, I’m gonna brute-force the ssh service of our target machine using the username ‘lin’ and the “locks.txt” file as a password list.
For brute-forcing ssh, I’m using Hydra and here is the command that I’m gonna use:
hydra -l <Username> -P <Password_List> ssh://<Target_IP>
As you can see here,
We have got the password for SSH.
So, our SSH login credentials are:
Username: lin Password: RedDr4gonSynd1cat3
Now let’s log into SSH.
Okay we have successfully logged in using the credentials that we have found. And we also got the user flag in the “Desktop” directory.
The user flag is:
THM{CR1M3_SyNd1C4T3}
Now we need to find the user flag. For that, I’m gonna use this command:
find / -name "root.txt" 2>/dev/null
As you can see here, we couldn’t find the ‘root.txt’ file.
So, I ran ‘sudo -l’ to check the user privileges and that gave us an interesting information that we can obtain root privilege with ‘/bin/tar’
So let’s check Gtfobins to find out how to break out restricted environments with ‘tar’
Okay, we found this following command on gtfobins to break out restrictions by ‘tar’:
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
So, let’s run this command on our target machine.
Boom!
We are root now.
And you can see, we have got the root flag as well.
The root flag is:
THM{80UN7Y_h4cK3r}
So, here we end our write-up.
Hope you enjoyed it.
And feel free to share with us in the comment section below if you find any difficulty while solving this challenge.
Goodbye for now.
See you soon.