Post

TryHackMe - Bounty Hacker

Posted Updated
By Nasrallah Baadi 2 min read

Description

Hello l33ts, I hope you are doing well. We are doing Bounty Hacker from TryHackMe

Enumeration

nmap

We start a nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}.

  • -sC: run all the default scripts.

  • -sV: Find the version of services running on the target.

  • -T4: Aggressive scan to provide faster results.

Nmap scan report for 10.10.120.252
Host is up (0.11s latency).
Not shown: 970 filtered tcp ports (no-response), 27 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.11.31.131
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

We got 3 open ports

  • 21 ftp vsftpd 3.0.3
  • 22 ssh OpenSSH 7.2p2
  • 80 http Apache httpd 2.4.18

FTP

From the nmap scan we see that Anonymous login is allowed is this ftp server, let’s login and see what we can find.

We found two interesting files, locks.txt and task.txt, we can download them to our machine using the command get {filename}. Let’s see what’s on the files.

The first file, locks.txt, contains a list of words that i assume are passwords, the other file, task.txt, contains a notes from someone called lin, which is a possible username. Now we the information we have, let’s try to brute force ssh and see if we can find something.

Foothold

To brute force ssh, we can use hydra.

We managed to get the correct password for lin, let’s login with ssh now.

Privilege Escalation

Now that we have access to the machine, let’s what we can do.

By running sudo -l, we see that we can run /usr/tar as root, we can use GTFOBins to see how we can leverage that and get root.

We can use that command to get a root shell.

And just like that we became root.

Thank you for taking the time to read my writeup, I hope you have learned something with this, if you have any questions or comments, please feel free to reach out to me. See you in the next hack :) .

TryHackMe
tryhackme linux ftp hydra bruteforce tar sudo
This post is licensed under CC BY 4.0 by the author.