Jasper Alblas
TryHackMe: Bounty Hacker – Walkthrough
Hi! This is my walkthrough on the Bounty Hacker CTF on TryHackMe. In this fun, but short CTF we will be doing network scanning, password cracking and abusing sudo rights. All in all a great CTF to practice some fundamental pentesting skills.
Room URL: https://tryhackme.com/room/cowboyhacker
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Task 1: Living up to the title
You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future! Let’s prove that we are a true Bounty Hacker!
Questions
Deploy the machine.
Answer: No answer needed.
Find open ports on the machine
I found that scanning all ports took way to long on my AttackBox so I simply selected the top 100 ports:
nmap --top-ports 100 10.10.5.226
I found 3 open ports: 21 (ftp), 22 (ssh) and port 80 (http).
Let’s do a more detailed port scan of those 3 ports. We use the -A flag here, which is called the Aggressive Detection Mode. It basicly is a combination of different other flags, and includes both version detection, OS detection and the running of some scripts.
nmap -A -p 21,22,80 10.10.5.226
We found a webpage:
But more importantly for this task, anonymous access is available on the FTP service. We can also see that there is a task.txt file on it.
Answer: No answer needed
Who wrote the task list?
Great job so far, Bounty Hacker. Let’s try logging in on the ftp service:
ftp <ip address>
We can see that lin has written the note.
Answer: lin
What service can you bruteforce with the text file found?
There is another text file on the ftp server: locks.txt. It has the following content:
This looks to be like some kind of wordlist that we can use to gain access to a server. Since we have a protected SSH access to the server I am going to guess we can bruteforce it.
Answer: ssh
What is the users password?
To bruteforce lin’s password we can use hydra. We know the username and in addition have a wordlist to use. Download the locks.txt file to your machine:
get locks.txt
Run the following hydra command:
hydra -l lin -P locks.txt -t 6 ssh://<machine ip>
This quickly cracked the password:
Answer: RedDr4gonSynd1cat3
user.txt
Now we know the password and username, we can log on to the SSH service.
ssh lin@10.10.5.226
And type in the password.
This is going very smoothly. We have access and can see the user.txt file:
Answer: THM{CR1M3_SyNd1C4T3}
root.txt
Now, all we need it root access to read the file called root.txt. We need more info to figure out what to do next. It’s time for some enumeration.
Enumeration
Let’s look at different attack vectors.
User’s Home Directory Contents
Nothing out of the ordinary here. Let’s look at the .ssh folder in a bit.
Home Directory Contents
We can look at the home directory to see if we can see directories of other users:
There are no other user directories.
List current processes
We can list the currently running processes with this command:
ps aux
Interesting username. Whoopsie…
But this is completely innocent:
In Ubuntu, whoopsie is a daemon that is responsible for collecting error reports from apport and then sending that report to Canonical if the user agrees to this in the apport confirmation dialog.
SSH Directory Contents
List the ciontents of the .ssh folder by entering:
ls -l ~/.ssh
Interesting!
cat ~/.ssh/id_rsa
But we already have ssh access! Just wanted to show you anyway 🙂
Bash History
We can look at previously run terminal commands. Run history.
history
Nothing interesting to see here.
Cron Jobs
ls -la /etc/cron.daily/
passwd looks interesting:
cat passwd
But after some googling I found out this is a completely innocent normal process.
Sudo — List User’s Privileges
We can list the allowed (and forbidden) commands for the invoking user, and which commands we can run with sudo rights.
sudo -l
Now, this is interesting! We got root access on the /bin/tar command. This is something we can exploit! I found the following info at this page:
https://gtfobins.github.io/gtfobins/tar
Run this command:
sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
We got root access. Find the file in the root directory and read it:
Answer: THM{80UN7Y_h4cK3r}
We are done! I hope it made sense. Bounty Hacker definitely was an easier CTF, but I have to admit that the last step was kinda tricky to figure out. I hope you learned that proper enumeration is very important! Thanks for reading, and give me a clap if you like 🙂
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
