Bounty Hacker is an easy CTF challenge for beginners on TryHackMe by Sevuhl. As it is aimed for those with little experience in penetration testing, it was quite simple to get to the root. But everyone’s gotta start from somewhere, right? Let’s go!
1. Deploy the target machine as requested.
2. Let’s scan for open ports: nmap -sC -sV -A -T4 -v -p- [target's IP]. What do we find? Ports 21, 22, 80 are open. 21 = FTP, 22 = SSH, 80 = HTTP.
3. Let’s check FTP first: ftp [target's IP]. Username: anonymous, no password. And we are in. Use command ls to see what’s in the directory. We can see there are two files, locks.txt and task.txt. Use get command to download them on to your machine.
4. Answer to the first question is found within the file task.txt we downloaded. We now have a potential username.
5. In locks.txt we find passwords that can be used to bruteforce the SSH we found earlier. Let’s do that with Hydra.
6. hydra -l [username] -P locks.txt ssh://[target's IP]. As we could expect, the correct password is in locks.txt. Input the right password on TryHackMe to get another flag.
7. Let’s connect to the target with SSH. We have both the username and the password. ssh [username]@[target's IP]. When asked, type in the password. We’re in. Use ls to see the contents and we can see user.txt. Since we used SSH we can type in cat user.txt to view the file and grab the flag!
8. Now things get a little more complicated. For the last flag, we need to escalate our privileges on the machine. So let’s check the user’s rights with sudo -l. We can see that the user can use tar as superuser. We head on to GTFOBins to check out what we can do with it. Turns out, a lot.
9. Let’s take the first thing we’re offered by GTFOBins, add sudo and directory to the command and hit enter: sudo /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
10. Something clearly happens in the terminal and we input id to check if we got root. Oh yes… Now we can use find to search for the root.txt: find / -name "root.txt". Now that we got the path of root.txt, we can check its insides by typing cat /root/root.txt. Grab the last flag and we’re done!