← Back Published on

TryHackMe Write-Up (Bounty Hunther)

In this Capture the flag event we have a few tasks in 1 target.

Like always, we start with only an IP address 10.10.6.212

Flags to capture are

-Who wrote this task list

-What service can we brute force

-What is the user's password

-What are the flags for the txt files of user.txt and root.tx

The first step I did was to conduct an NMAP scan to see what ports are available from the target.

> nmap -sS -sC -Pn -oN bounty.txt 10.10.6.212

I can see a few ports are open

Port 21 is a TCP port running a login connection to an FTP server

Port 22 is a TCP port running SSH

Port 80 is a TCP port running http - a web server

Let's do some basic research and look up the Target’s IP on a web browser as we can see it has an HTTP port open

> web search of 10.10.6.212

We see a web page displayed 

  • No clues. I did not find anything within the page source either.

With our NMAP report, we see that port 21 is an FTP login port. So let's try and log on. You can see the username of anonymous!

> ftp 10.10.6.212

When prompted for a login, we type the name:

And we are logged in! There was no password required. A perfect example of an unsecured port and service!

Within the user's account, we can see some basic files that they have access to!

Locks.txt and tasks.txt. A simple command will allow us to grab that information and bring it to our account.

> grep locks.txt

> grep tasks.txt

Once the files are downloaded, let's view them and see what we have obtained

> cat locks.txt

> cat task.txt

Looks like passwords to me! Within locks.txt

And we see a username within task.txt

Our first flag is acquired! The name of the user who made the file task.txt! Let's continue

-So far, have a (port22) SSH that can be brute forced! SSH is a secure shell and allows access to the network or system if you have the correct information

-We also have a file of passwords

-And we have a password

Another flag was what service can be brute forced. SSH of course :)

So let's try and use a brute force method called hydra. Hydra is preinstalled on the linux system we are using. So we simply have to use the hydra command along with the username and what file we want to use against the target IP address. The example is below

> hydra -l lin -p locks.txt 10.10.6.212

We got in! Hydra ran those passwords against the username until we gained the password needed for the target.

Another flag was obtained. We can see all the information needed for lin’s login

So lets SSH into lin

> ssh lin@10.10.6.212

> insert the password we acquired from the hydra attack

And we are in! A simple > whoami command confirms this.

Let's poke around for a bit

> pwd tells us where we are at

> ls tells us what is inside and ls -a tells us everything thats inside including hidden info

Cool! We see a file user.txt lets open it up!

> cat user.txt

And we have a flag!!!

Fun right?

So now we need root access!

The root is the king of the castle. Knows all and makes all the decisions!

So, let's move over to the root account

> cd root

Cd is change directory

There is a root!!!

But we have no access and it asks for a password!

I used a sudo command to view the possible commands that lin could run

> sudo -l

and I was able to see that lin may run commands on Bounty hacker of /bin/tar to access the root

What is amazing about capturing the flag events, is that I learn a new tool every time.

I was able to find a curated list of Unix binaries that can be used to bypass local security restrictions.

this is all publicly available online and was found on GTFObins

Within this website, I searched tar and was able to find a sudo Function for tar I was able to use the publicly available information to then put into my terminal To then get privileges of root

within root, I use a simple ls -a (list all) command to find the root file

within this root file, I found our last THM flag.

This Capture the Flag event was significant to me because it showed me how the severity of an unsecured port along with weak login information can play a key role into a vulnerable Network. and this isn't even to mention the unencrypted passwords that were located inside a file. Simple security practices can be implemented into many types of servers. the importance of vulnerability scanning regularly along with the implementation of security protocols is Paramount