Hello, guys hope you are doing well, this is a write-up of Bounty Hacker room in Try hack me platform. So let's get started and dive in straight.

Deploy the machine and give it a moment to start. Do not worry if the IP is not seen for 2 minutes or so. As this turned out as a new feature of this platform. Once the machine is deployed successfully go ahead and run the Nmap scans. I always tend to use threader 3000 which is developed by Joe Helle which is combined with Nmap and a much faster tool.

Threader3000 scans
Threader3000 Nmap

As the scans are running let’s go to port 80 and start enumerating.

Port 80 content

As we can see that there are 3 ports opened among that we see that port 21 has Anonymous login enabled. Login into the FTP server with this command and give the username as anonymous.

Command — FTP your-ip port-number

Listing Files

Here we can see that there are two files which are locks.txt and task.txt. Using the get command download the two files to the local system.

Downloading files from FTP Server

With the help of the cat command open the files here in the locks.txt we find a list of passwords and task.txt has some information conveying indirectly. By observing, we see that the username is listed as lin

Content of two files

As we have the username and a list of passwords now we have to enumerate and attack a service with these credentials. If you see we have an ssh port open and this is the service we shall attack. Using hydra we brute force with the list of passwords.

Command — Hydra -l lin -P locks.txt -t 4 target-ip ssh

As we have got successful credentials now we can perform ssh into the machine by using this command, enter the password once it popped.

Command — ssh lin@target-ip

Boom !!! Now we have the user access on the system . Change directory to /home/lin/Desktop and here we will find the user.txt flag.

User flag

Now its time to escalate into the root user so let us check the SUID first for any specific permissions. We can do this by executing this

Command — find / -perm 4000 -type f 2>/dev/null

Picture of SUID

We din’t find any interesting files here so let us run sudo -l to check the privileges of the user

Picture of sudo -l

We can see that the user can run /bin/tar binary with root privileges. As this is confirmed let us look at GTFO bins for tar files. Under the sudo section we find the command copy and paste it in /bin/tar this will grant us the root privilege and we, therefore, we have successfully escalated your privileges to root. Now it’s easy to find the root flag.

I’m leaving it here for you to complete it for the rest of the tasks.

Collaboration and networking is something that I always enjoy. Let’s connect

Twitter — https://twitter.com/Begin_hunt

Linkedin — https://www.linkedin.com/in/balapraneeth/

Thank you for reading this blog. All the best. Any suggestions are really appreciated!!.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store