Bounty Hacker | Write-up (THM)

Enumeration

First step in almost every box, running an nmap scan.

sudo nmap -T4 -p- -A (ip)

After reviewing the results of the nmap scan, we can point out some useful findings:

1. anonymous access to FTP on port 21
2. HTTP page and Apache 2.4.18 server on port 80
3. SSH on port 22

HTTP

After reaching this page in the browser we saw this:

This page is useful anecdotally, but there's really nothing we can use later, except for some names as potential usernames.

I used Gobuster to check for any login pages, but nothing was helpful.

gobuster dir -w (wordlist) -u (url)

FTP

Nmap scan showed us that anonymous FTP login is allowed, so why not use it.

ftp (ip)

We see two files, locks.txt and task.txt

All we need to do now is read the files, so let's use the get(filename) command and read them to our machine.

The first file gives us a set of passwords and task.txt is some tasks written by ***

Brute-Force:

Let's put these names on the web page into a file that includes the name we found in task.txt and call it user.txt.

Since we only have ssh, the next step we need to do is run hydra to force ssh login to use the password list which is locks.txt.

hydra ssh://ip -L users.txt -P locks.txt

Now we got credentials and can log in ssh and read user.txt

SSH

let’s login using ssh !

Privilege Escalation and Root flag

Trying to get to root is impossible at the moment because we are currently just the user *** himself.

Let’s run sudo -l to see what the user can run as another user or root

It can be seen that we can run tar as root.

Go to gtfobins and search for tar

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh

Let’s grab this flag !! 🚩

That's all about this machine. Enjoy hacking!