boot2root, hacking, web application security

Solving @TryHackMe – Bounty Hunter

Another day, another challenge.

In today’s post we’re going to solve the Bounty Hunter room in TryHackMe.

Let’s get started.

Going to the room and clicking the deploy/start machine, we see the following:

Your IP address will be different.

Let’s start answering the question.

The first question is to find open ports.

We’re going to enter the command: nmap -sV <deployed IP address> which in my case will be nmap -sV 10.10.126.62

Doing this we see:

We have three ports open. FTP, SSH, and HTTP.

Next question.

We need to see who wrote the task list.

With FTP depending on the configuration, you can access this server with a username of anonymous and any password.

Let’s see if this works.

It worked!

Now let’s do a listing to see what is on the server.

We have a locks.txt and a task.txt file

How do we download the files?

We can use the get command – get <file>

Let’s try it.

The files were downloaded successfully.

We can close the ftp server by entering the exit command.

Doing an cat (concatenate) to open the task.txt file we see:

We found the user – lin.

Let’s answer the next question.

What service can we use to brute force the text file?

Looking at the services opened, we already anonymously logged into the FTP server, so that’s not it.

Let’s see if SSH is the answer. It is!

Next question.

What is the user’s password? The user in this case is lin.

Well to brute force SSH we can use the program – Hydra.

We didn’t open the tasks.txt file.

Let’s open it.

Using the cat command cat locks.txt we see:

Hmm… this file seems like this is a file with passwords.

Going back to Hydra, doing this we can use the command hydra -l lin -P locks.txt <IP address> -t 4 ssh in my case it will be hydra -l lin -P locks.txt 10.10.126.62 -t 4 ssh

Let’s explain the command

Hydra – The program we’re going to use

-l lin – select the user we want to use (lin)

-P tasks.txt – selecting the password file we want

<IP address> – specifying the IP address we want to brute-force

-t 4 – the number of threads we want. In this case we say we want 4 threads. The bigger the threads, the faster hydra will perform

ssh – let’s us know we want to brute-force the ssh server

Doing this we get the following:

We found the password – RedDr4gonSynd1cat3

Now let’s login

Going back to our terminal let’s enter the command ssh lin@10.10.126.62

Let’s break this down

ssh – invoking we want to access the SSH server

lin@10.10.126.62 – the user at the server

We get the following:

We get the question of are we sure we want to connect – enter yes.

Next we need to enter the password. Copy the password from the Hydra output.

Doing that we see the above screenshot.

We are now in the SSH server!

Let’s answer the next question.

We need to find and open the user.txt file.

Doing a long listing to view everything ls -la we see:

We see the user.txt file!

Using the cat command to open the file it will be – cat user.txt

Now to the final question.

We need to find and open the root.txt file.

Going back to the terminal – we’re going to enter the command: find / -perm -u=s -type f 2>/dev/null

Let’s break it down

find – invoke the find command

/ – specifying we’re starting at the root file system

-perm = look for a specific permission

-u = s – specifies we want to find users (owners) with the sticky bit set. The sticky bit allows a user to execute the program as the owner. In this case we want to find sticky bits that can be executed as root.

-type f = we’re looking for files

2>/dev/null – we’re redirecting error messages from the standard output (the screen) to /dev/null.

Doing this we get the following:

The above files allows us to execute the program as root.

Most of these are standard, but the sudo command should not be there.

Why? The sudo allows to execute root commands for the specific command.

With the sudo command there’s also a file sudoers file that tells the users, and files that can run as root.

To figure this out, let’s enter the command sudo -l

We’re going to be prompted for the password which is: RedDr4gonSynd1cat3

Doing this we see:

We see that one file – /bin/tar can run as root.

Going to Google and typing in privilege escalation tar file

We see:

Clicking on the first link we see:

Scrolling down we see:

We see a section on Sudo!

Copying this command into our terminal and entering the whoami command we get:

We have successfully escalated our privileges to root!

Going to the root home directory and doing a long listing we see:

We see the root.txt file

Let’s open it with the cat command.

Doing this we see:

We have successfully solved the challenge!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s