TryHackMe: BountyHacker

Photo by Алексей Мойса on Unsplash

BountyHacker by Sevuhl

IP = 10.10.9.170*
Difficulty: Easy
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Arch Linux
  • Note: IP address may vary.

Reconnaissance

Scoping and Preparation

Connect to OpenVPN Server using:

  • sudo openvpn {PATH_TO_OVPN_FILE}

I used my tool CTFRecon to automate directory creation, network scanning, web directory brute-forcing and adding entry to /etc/hosts file.

  1. git clone https://www.github.com/hambyhacks/CTFrecon
2. cd CTFRecon
3. chmod +x ctfrecon.sh && cp ctfrecon.sh ../
#to move ctfrecon.sh to your working directory.
1. sudo ./ctfrecon.sh [IP] [DIRECTORY NAME] [PLATFORM] [WORDLIST]
#platform refers to hackthebox(htb) or tryhackme(thm). Wordlist is used for GoBuster directory brute-forcing.

Preliminary Enumeration via nmap

Table 1.1: nmap Results Summary

Nmap scan result summary.

Based on nmap result below, we can see that the FTP port can be accessed anonymously.

Nmap scan result.

Machine OS: Based on OpenSSH version, machine is Ubuntu Xenial.

Enumeration

FTP Enumeration

Let’s look at the FTP service that is running and we can access anonymously. To login anonymously in FTP service:

  • Type anonymous as the username and press enter as a password. It should log in as anonymous user.

Inside the FTP service, we found interesting files named locks.txt and task.txt that could also give us a possible username and passwords for the machine.

Lets try to download both of the .txt files and see the contents. To download the file, we can use the command GET to download the file we wanted.

  • Syntax: get {FILENAME}
Logged in via FTP using anonymous login and downloaded the files locks.txt and task.txt.

We can now exit the FTP prompt and check the contents of the file locks.txt and task.txt.

Checking the contents of locks.txt gives us a possible passwords that may be used for login.

Possible password combinations found in locks.txt

task.txt contains a note created by lin that may be a user in the machine.

task.txt shows that there is a possible user named lin.

Web Enumeration

Navigating to the webpage at port 80, gives us the webpage below.

Webpage at port 80.

We try to manually check for some directories such as robots.txt but it does not exist in the directory.

Also, using GoBuster does not give us helpful results. Webpage may be a dead end for our enumeration.

Since we have possible usernames and passwords from our gathered information, we can try to use it in SSH service running on port 22.

Note: Manual Enumeration is important.

Exploitation

Steps to Reproduce

  1. Using hydra, we tried to bruteforce credentials of lin user with the password list locks.txt.
  • Syntax: hydra -l {USERNAME} -P {PASSWORD_LIST} ssh://{IP}

2. Wait for hydra to finish. Credentials will look like the image below.

hydra successfully brute-forced the login credentials of lin.

3. Log in via SSH with newly found credentials.

Successful login via SSH using credentials found by hydra.

Table 1.2: Credentials

Credentials for lin

Privilege Escalation / Post-Exploitation

Internal Enumeration

Table 1.3: Checklist for Linux Internal Enumeration

Privilege escalation checklist for Linux.

Notes: For more information about the commands look here.

Tip: When nothing else makes sense, try to use LinPEAS (winPEAS for windows machines.).

Vertical Privilege Escalation

Running our checklist, we found that using sudo -l, lin user can use /bin/tar as root user.

Tar binary can be used as privilege escalation vector.

To escalate our privileges, simply type in the terminal:

  • Syntax: sudo /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
  • This should make us spawn a root shell.
Rooted!

Reference for tar privilege escalation: https://gtfobins.github.io/gtfobins/tar/

We are now root user!

To finish the machine, get the contents of user.txt and root.txt and also the necessary answers for completion.

user.txt and root.txt

STATUS: ROOTED

The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.

Post Exploitation / Maintaining Access

Copied the /etc/shadow file for user identification and their passwords.

Added another root user for easy access.

Clearing Tracks

Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.

Status: Finished

Feel free to reach out and if there is something wrong about the above post. Feedbacks are also appreciated :D

Donation Box

Not required but appreciated :D

Socials

--

--

--

Self-taught cybersecurity learner :D

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Create Your Own Network Namespace

Conjee NFT Marketplace

Interview with Conrad!  — — — — — — —  Interview mit Conrad!

ShardingSphere 4.x -Sharding-JDBC-Configuration manual-Spring Boot configuration

CommandCenter (c2) 101 — Iterating through the Cyber Range Life-Cycle

XDV Protocol = Ancon Protocol

How to Price Your Product

Evolution Of Operating Systems

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
hamby

hamby

Self-taught cybersecurity learner :D

More from Medium

Linux Privilege Escalation Resources

Beep HTB Writeup

HacktheBox [Toolbox]

TryHackMe: Content Discovery Walkthrough