Greetings everyone!
I have a pretty quick walkthrough today for you! Once again, we’ll be using the fantastic platform TryHackMe. The box we’ll be tackling is called Bounty Hacker!
With our Kali box fired up, we’ll start off with our trusted Nmap scan!
We can see that we get a few hits back; the main one being FTP! Nmap shows that the box allows for anonymous login, so let’s connect that way and grab any files that we can!
We can see that two files are listed: locks.txt and task.txt. Time to download them and see what goodies are inside!
We’ll first cat out the task.txt file:
Looks like this task file was created by someone named “lin”. This is great because we have a possible username that we may be able to login with somewhere down the line! Before we get too excited, let’s cat out the locks.txt file that we also downloaded:
This is even more interesting! I could be wrong, but this looks like a list of possible passwords! So now we have a possible username, lin, and a possible list of passwords! But what to do with these? Well, if we look back at our Nmap scan, we can also see that SSH is open! We may as well try brute forcing the SSH login with the possible credentials we found! Let’s fire up Hydra!
Almost instantly, we get a return! The username “lin” comes back with the password “RedDr4gonSynd1cat3”. Let’s connect with those credentials:
And just like that, we’re in!
We have access as the user lin, so let’s try and escalate our privileges! Before we do any deep digging, let’s try a quick “sudo -l” to see what commands lin can run as root!
Looks like we can run /bin/tar as root! Heading over to the amazing site GTFOBins, we can see that we can use the following command to try and escalate our privileges:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shAlright let’s give it a shot!
Awesome! Let’s grab that root flag now that we have root permissions!
Excellent! We were able to grab the root flag without even breaking a sweat! This was a very quick and easy box, but still very fun!
BONUS:
Here’s a quick video I did of the box walkthrough!
Song – Blinding Lights by The Weeknd
Thanks for reading!