Try Hack Me (Bounty Hacker Walkthrough)
Hi All, and welcome to a walkthrough for a new box at Tryhackme.com.
Please go easy on me as this is my first ever write-up, even though I have been doing CTF’s for quite some time now.
I would rate this as a beginner box, offering a nice guided learning curve from initial enumeration through to privesc.
Anyway let’s get started with an nmap scan of the box. For an initial scan I start of with a simple Version Scan.
From the initial scan we can see we have the following ports open
Port 21 — FTP with Anonymous login allowed
Port 22 — SSH
Port 80 — Open Http web site
Let’s checkout the FTP server on Port 21, as we can see that it allows anonymous logins.
Here we can see two files, locks.txt and tasks.txt. We can download these to our local machine using the get command from the FTP server.
So we seem to have a potential username: lin
Let’s checkout locks.txt
This looks to be a list of passwords. As we know, there is an SSH service working on Port 22. Let’s try and bruteforce SSH with the username lin and the list of passwords from the locks.txt file.
I tend to use Hydra for this, using the following commands
hydra -l lin -P locks.txt 10.10.182.24 ssh -t 4
We can now try logging in to SSH as username lin using the password we just got from Hydra.
And we are in and we can grab the user.txt flag.
Privesc to Root User
Privesc is relatively straight forward. The first thing I check is to see whether we have any sudo rights using the sudo -l command.
We can see that we have sudo rights to run /bin/tar
Usually at this stage I would run a number of enumeration scripts such as Linpeas or LinEnum, check SUID’s etc; however, a quick look at /bin/tar and we can see that it is being run as (root).
My go to place to check for binaries that can be exploited is https://gtfobins.github.io/
Enter ‘tar’ into the search and select ‘shell’
As we have Sudo rights we can use the above exploit to gain a root shell.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
This was a nice box, with a reasonable learning curve, ideal for a beginner, whilst also covering a number of key topics.
Thanks to Sevuhl for this box and thanks to Tryhackme for an excellent platform. Also thank you to you for reading this writeup.