@RealTryHackMe - Bounty Hacker

Another day, another challenge.

In today’s post we’re going to solve the Bounty Hacker room in TryHackMe.

Let’s get started.

Going to the room and clicking the deploy/start machine, we see the following:

Your IP address will be different.

Let’s start answering the question.

The first question is to find open ports.

We’re going to enter the command: nmap -sV <deployed IP address> which in my case will be nmap -sV 10.10.126.62

Doing this we see:

We have three ports open. FTP, SSH, and HTTP.

Next question.

We need to see who wrote the task list.

With FTP depending on the configuration, you can access this server with a username of anonymous and any password.

Let’s see if this works.

It worked!

Now let’s do a listing to see what is on the server.

We have a locks.txt and a task.txt file

How do we download the files?

We can use the get command – get <file>

Let’s try it.

The files were downloaded successfully.

We can close the ftp server by entering the exit command.

Doing an cat (concatenate) to open the task.txt file we see:

We found the user – lin.

Let’s answer the next question.

What service can we use to brute force the text file?

Looking at the services opened, we already anonymously logged into the FTP server, so that’s not it.

Let’s see if SSH is the answer. It is!

Next question.

What is the user’s password? The user in this case is lin.

Well to brute force SSH we can use the program – Hydra.

We didn’t open the tasks.txt file.

Let’s open it.

Using the cat command cat locks.txt we see:

Hmm… this file seems like this is a file with passwords.

Going back to Hydra, doing this we can use the command hydra -l lin -P locks.txt <IP address> -t 4 ssh in my case it will be hydra -l lin -P locks.txt 10.10.126.62 -t 4 ssh

Let’s explain the command

Hydra – The program we’re going to use

-l lin – select the user we want to use (lin)

-P tasks.txt – selecting the password file we want

<IP address> – specifying the IP address we want to brute-force

-t 4 – the number of threads we want. In this case we say we want 4 threads. The bigger the threads, the faster hydra will perform

ssh – let’s us know we want to brute-force the ssh server

Doing this we get the following:

We found the password – RedDr4gonSynd1cat3

Now let’s login

Going back to our terminal let’s enter the command ssh lin@10.10.126.62

Let’s break this down

ssh – invoking we want to access the SSH server

lin@10.10.126.62 – the user at the server

We get the following:

We get the question of are we sure we want to connect – enter yes.

Next we need to enter the password. Copy the password from the Hydra output.

Doing that we see the above screenshot.

We are now in the SSH server!

Let’s answer the next question.

We need to find and open the user.txt file.

Doing a long listing to view everything ls -la we see:

We see the user.txt file!

Using the cat command to open the file it will be – cat user.txt

Now to the final question.

We need to find and open the root.txt file.

Going back to the terminal – we’re going to enter the command: find / -perm -u=s -type f 2>/dev/null

Let’s break it down

find – invoke the find command

/ – specifying we’re starting at the root file system

-perm = look for a specific permission

-u = s – specifies we want to find users (owners) with the sticky bit set. The sticky bit allows a user to execute the program as the owner. In this case we want to find sticky bits that can be executed as root.

-type f = we’re looking for files

2>/dev/null – we’re redirecting error messages from the standard output (the screen) to /dev/null.

Doing this we get the following: