TryHackMe has a box called “Bounty Hunter” which was a ton of fun, and definitely an experience. Let’s dive right into it.
I started off with a regular old nmap scan of the IP. It showed that there were three ports open, and so that means three potential points of entry. Now, before we start testing everything, we’d usually try to grab the versions of the software running on this ports, to make sure there is no blatantly obvious vulnerability. SSH ended up being up to date, so we’ll follow my normal approach for this type of situation. Which is immediately looking into FTP.
The most common thing that occurs for these beginner level boxes is that the FTP login is left to be anonymous. You don’t even usually NEED to use metasploit to scan it, you can just attempt to FTP in and if user: anonymous and password: anonymous doesn’t work, then it’s not anonymous login haha. Let’s go ahead and login to the FTP server.
Annnnd, success! Just like I thought. Time to poke around a bit.
So there are two files in here, locks.txt and task.txt. Let’s download and open them up.
Cool, so this looks like a password list. It’ll come in handy later, so store it somewhere safe. No, there’s one bit I missed documenting here, but I’ll do my best to explain it.
On our scan, port 80 was open, which is http. This means they are most likely running a website. Which also means there could be extra directories, code to audit, etc. Through exploring that site, I found the name “lin”. This appeared to be a username of some sorts. So we had a username, and now we have a list of passwords. There’s one service that has yet to be useful to us; SSH. So, it’s gotta be the login to that. Power up Hydra and let’s get to brute forcing.
Start her up!
Nice! Glad to know that worked out in our favor. Let’s see what we can get to through SSH.
So our goals for this challenge were to get user.txt and root.txt. We’ve got user.txt, so now we need to get root on the box, and that means a little bit of privilege escalation.
This shows that the user we are logged in as (lin) can run the following commands as root: /bin/tar. This means we need to head over our favorite site (https://gtfobins.github.io/) to see how we can escape to root using this command.
Looks like it worked, and the box is now fully completed!
Thanks for reading!