Bounty Hunter
Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 21,22,80
(-oN nmap): Saving it into a files called nmap
Enumeration
Port 21
We can see in the nmap scan that Anonymous FTP login is allowed for port 21: FTP. Lets login and see what it has.
Once we login and check the files that it contains, we can see two files locks.txt
and task.txt
, lets transfer both of them onto our machine using the command get
.
Lets read the task.txt
file first.
We found a user called lin
which is the answer to the third question.
Now lets read the file locks.txt
Looks like a password list. Now with a username and a password list, we can try bruteforcing into ssh using a tool called hydra
.
Initial Foothold
Command Breakdown:
(-l): Specifying username
(-P): Specifying a file with passwords to crack the password.
(ssh): Specifying which protocol to attack.
We found the password RedDr4gonSynd1cat3
. Lets login through ssh. Also the answer for the fourth question is SSH and the answer to the fifth question is the password we found using hydra.
We have user privileges, so we can go read the user.txt
file, which I already did, but you will have to find that on your own. :)
Privilege Escalation
Lets run the sudo -l
command to check what files we can run as other users.
Looks like we can run /bin/tar
as root. Now we can go to GTFOBins and find the commands to privilege escalate to root. The command they gave is this.
Once we run this, we are root.
Now you can go read the root.txt file and answer the last question.
Last updated