TryHackMe:Bounty Hacker:Writeup:

fig-1.0

Hi,

This post is about Bounty Hacker room on TryHackMe.Com. This room is free for everyone so everyone can join it. its a simple easy and beginners level CTF.

Description: A guide to complete Bounty Hacker CTF on tryhackme.

— — — — — — — — — —Let The Party Begin — — — — — — — — —

Task 1:Living up to the title.

Task 1.1: Deploy the machine

No answer needed

Lets start the machine and grab the IP Address. Shown in fig 2.0:

fig-2.0

Task 1.2: Find open ports on the machine

No answer needed

So lets scan the Ip Address and see what we get by nmap tool by following command(fig-3,4):

$ nmap -sV -sC [Ip Address]

fig- 3.0

fig- 4.0

Here we can see there are three open ports 21,22,80. 21 is used for ftp and we are able to login into by username anonymous we can see it in above fig-3.0 and here is a web running on port 80 so lets take a look of it and after we will login into ftp server.

fig-5.0

Here we see nothing interesting. So lets look at the ftp server by login by username anonymous by the following command(fig 6.0):

$ ftp [Ip Address]

fig- 7.0

Here we successfully login into ftp server. Lets see what files are here and lets download it and see their content by the following command(fig 8.0):

$ ls

$ mget *.txt

fig- 8.0

We found two .txt file locks.txt and task.txt and we download(its download in your current directory) it and lets look of them. it seem locks.txt contains passwords and task.txt some task written by lin by this lets try to brutefore on ssh. We use hydra for it.

Task 1.3:Who wrote the task list?

lin

Task 1.4:What service can you bruteforce with the text file found?

ssh

We use hydra by following command for bruteforece the ssh password(fig 9.0).

$ hydra -l lin -P locks.txt [Ip Address] ssh

fig- 9.0

Wow! we got password so we can login into the machine by ssh.

Task 1.5:What is the users password?

RedDr4gonSynd1cat3

We use following command for that(fig 10.0):

$ ssh lin@[Ip Addres]

fig- 10.0

Now we login to the system we can find the user.txt in Desktop directory and we can read the user.txt(fig 11.0):

fig- 11.0

Task 1.6: User.txt

THM{CR1M3_SyNd1C4T3}

Now its time to get root flag so for that first lets try a command show below for list the programs which sudo allows your user to run.

$ sudo -l

fig- 12.0

Its ask for lin password first. Here we can see we can use tar as root without password so lets find vulnerability for tar on GTFObins (show in fig 13.0).

fig- 13.0

Here we use sudo command for get a root shell. Command shown below(fig 14.0).

$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

fig- 14.0

After run this command we get a root shell(fig 15.0).

fig- 15.0

Now we can read root.txt.Which is in /root directory (fig 16.0).

fig- 16.0

Task 1.7: Root.txt

THM{80UN7Y_h4cK3r}

Hooray!!!!!!!! we got root.txt .

— — — — — — — — — — — -Thank you — — — — — — — — — — — -