Try Hack Me (Bounty Hacker Walkthrough)

Hi All, and welcome to a walkthrough for a new box at Tryhackme.com.

https://tryhackme.com/room/cowboyhacker

Please go easy on me as this is my first ever write-up, even though I have been doing CTF’s for quite some time now.

I would rate this as a beginner box, offering a nice guided learning curve from initial enumeration through to privesc.

Anyway let’s get started with an nmap scan of the box. For an initial scan I start of with a simple Version Scan.

From the initial scan we can see we have the following ports open

Port 21 — FTP with Anonymous login allowed

Port 22 — SSH

Port 80 — Open Http web site

Let’s checkout the FTP server on Port 21, as we can see that it allows anonymous logins.

Here we can see two files, locks.txt and tasks.txt. We can download these to our local machine using the get command from the FTP server.

So we seem to have a potential username: lin

Let’s checkout locks.txt

This looks to be a list of passwords. As we know, there is an SSH service working on Port 22. Let’s try and bruteforce SSH with the username lin and the list of passwords from the locks.txt file.

I tend to use Hydra for this, using the following commands

hydra -l lin -P locks.txt 10.10.182.24 ssh -t 4

We can now try logging in to SSH as username lin using the password we just got from Hydra.

And we are in and we can grab the user.txt flag.

Privesc to Root User

Privesc is relatively straight forward. The first thing I check is to see whether we have any sudo rights using the sudo -l command.

We can see that we have sudo rights to run /bin/tar

Usually at this stage I would run a number of enumeration scripts such as Linpeas or LinEnum, check SUID’s etc; however, a quick look at /bin/tar and we can see that it is being run as (root).

My go to place to check for binaries that can be exploited is https://gtfobins.github.io/

Enter ‘tar’ into the search and select ‘shell’

As we have Sudo rights we can use the above exploit to gain a root shell.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

This was a nice box, with a reasonable learning curve, ideal for a beginner, whilst also covering a number of key topics.

Thanks to Sevuhl for this box and thanks to Tryhackme for an excellent platform. Also thank you to you for reading this writeup.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

“Nice Suit”: Why It’s Time to Get Smart About Social Engineering

NIST 800–53 Series: “IMPLEMENTING ACCESS CONTROLs-Part-1 SOPs”

{UPDATE} Farlige Umulige Spor Hack Free Resources Generator

5 Ways to Earn Money Online That You’ve Never Heard Of

Delete Calendar App On Mac

Modification To Google Settings

Analyzing the Local Data of an iOS based application

Evaluating Decentralised Identity Projects

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yebberdog

Yebberdog

More from Medium

Napping — Try Hack Me

Network Services — Tryhackme

LFI Inclusion — Try Hack Me

TryHackMe: [Day 3] Web Exploitation Christmas Blackout