Bounty Hunter

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.28.194

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 21,22,80

• (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 21,22,80 -oN nmap 10.10.28.194

Enumeration

Port 21

We can see in the nmap scan that Anonymous FTP login is allowed for port 21: FTP. Lets login and see what it has.

ftp 10.10.28.194

Once we login and check the files that it contains, we can see two files locks.txt and task.txt, lets transfer both of them onto our machine using the command get.

get <file-name>

Lets read the task.txt file first.

cat task.txt

We found a user called lin which is the answer to the third question.

Now lets read the file locks.txt

cat locks.txt

Looks like a password list. Now with a username and a password list, we can try bruteforcing into ssh using a tool called hydra.

Initial Foothold

Command Breakdown:

• (-l): Specifying username

• (-P): Specifying a file with passwords to crack the password.

• (ssh): Specifying which protocol to attack.

hydra -l lin -P /root/Desktop/TryHackMe/BountyHacker/locks.txt 10.10.28.194 ssh

We found the password RedDr4gonSynd1cat3. Lets login through ssh. Also the answer for the fourth question is SSH and the answer to the fifth question is the password we found using hydra.

We have user privileges, so we can go read the user.txt file, which I already did, but you will have to find that on your own. :)

Privilege Escalation

Lets run the sudo -l command to check what files we can run as other users.

sudo -l

Looks like we can run /bin/tar as root. Now we can go to GTFOBins and find the commands to privilege escalate to root. The command they gave is this.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Once we run this, we are root.

Now you can go read the root.txt file and answer the last question.