TryHackMe CTF: Bounty Hacker — Walkthrough
Hi! This is my walkthrough on the Bounty Hacker CTF on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/cowboyhacker
Task 1 (Living up to the title)
You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future! Let’s prove that we are a true Bounty Hacker!
Questions
Deploy the machine.
Answer: No answer needed.
Find open ports on the machine
I found that scanning all ports took way to long on my AttackBox so I simply selected the top 100 ports:
nmap --top-ports 100 10.10.5.226
I found 3 open ports: 21 (ftp), 22 (ssh) and port 80 (http).
Let’s do a more detailed port scan of those 3 ports:
nmap -A -p 21,22,80 10.10.5.226
We found a webpage:
But more importantly for this task, anonymous access is available on the FTP service. We can also see that there is a task.txt file on it.
Answer: No answer needed
Who wrote the task list?
Great job so far, Bounty Hacker. Let’s try logging in on the ftp service:
ftp <ip address>
We can see that lin has written the note.
Answer: lin
What service can you bruteforce with the text file found?
There is another text file on the ftp server: locks.txt. It has the following content:
This looks to be like some kind of wordlist that we can use to gain access to a server. Since we have a protected ssh access to the server I am going to guess we can bruteforce it.
Answer: ssh
What is the users password?
To bruteforce lin’s password we can use hydra. We know the username and in addition have a wordlist to use. Download the locks.txt file to your machine:
mget *.txt
Run the following hydra command:
hydra -l lin -P locks.txt -t 6 ssh://<machine ip>
This quickly cracked the password:
Answer: RedDr4gonSynd1cat3
user.txt
Now we know the password and username, we can log on to the SSH service.
ssh lin@10.10.5.226
And type in the password.
This is going very smoothly. We have access and can see the user.txt file:
Answer: THM{CR1M3_SyNd1C4T3}
root.txt
Now, all we need it root access to read the file called root.txt. We need more info to figure out what to do next. It’s time for some enumeration.
Enumeration
Let’s look at different attack vectors.
User’s Home Directory Contents
Let’s look at the .ssh folder in a bit.
Home Directory Contents
If we look at possible other users’ home directory we don’t see directories of other users:
There are no other user directories.
List current processes
ps aux
Interesting username. Whoopsie…
But this is completely innocent:
In Ubuntu, whoopsie is a daemon that is responsible for collecting error reports from apport and then sending that report to Canonical if the user agrees to this in the apport confirmation dialog.
SSH Directory Contents
List the ssh content by entering:
ls -l ~/.ssh
Interesting!
cat ~/.ssh/id_rsa
But we already have ssh access! Just wanted to show you anyways 🙂
Bash History
We can look at previously run terminal commands. Run history.
history
Nothing to see here.
Cron Jobs
ls -la /etc/cron.daily/
passwd looks interesting.
But after some googling I found out this is a completely innocent normal process.
Sudo — List User’s Privileges
sudo -l
Now, this is interesting! We got root access on the /bin/tar command. This is something we can exploit! I found the following info at this page:
https://gtfobins.github.io/gtfobins/tar/
Run this command:
sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
We got root access. Find the file in the root directory and read it:
Answer: THM{80UN7Y_h4cK3r}
We are done! I hope it made sense. Bounty Hacker definitely was an easier CTF, but I have to admit that the last step was kinda tricky to figure out. I hope you learned that proper enumeration is very important! Thanks for reading, and give me a clap if you like 🙂
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: