TryHackMe CTF Walkthrough - "Bounty Hacker"

Note: This is a reupload of a CTF walkthrough from my original website which no longer exists.

Today I'll be doing a writeup on the easy difficulty CTF machine "Bounty Hacker" from the cybersecurity training website TryHackMe.

As always, we will start with an Nmap scan of the machine. Here we will be running an aggressive service scan with default scripts enabled.


I will also sometimes simultaneously run the above scan alongside another nmap scan which will be using the vulnerability script for additional enumeration. However in this case I decided to simply go ahead with the above command.



As we can see we have a little bit of information to go off of. We can see the FTP and SSH are both open, with FTP allowing anonymous logon. Just from personal experience I am already familiar with the versions of vsftpd and OpenSSH that are currently running, and I also know that there aren't any publicly available exploits to leverage against them. Considering that this is considered an "easy" CTF, it's highly unlikely that you will be expected to write a custom exploit or perform any sophisticated attacks against the target machine. 

We can also see HTTP is open and that the web server is running Apache httpd version 2.4.18. Also another dead end in terms of finding vulnerable service versions. Let's check out what the web server is running.


If you didn't already know this was a Cowboy Bebop themed machine, now you do. Not much else on the webpage to find nor were there any secrets hidden in the source code. Let's run gobuster in an attempt to find any hidden directories and in the meantime, check out the FTP server.


If you are unaware, when an FTP server allows anonymous logon, you are able to simply ftp to the server with the username and sometimes password, of 'anonymous'. Once logged in, you can use the help command to give you a list of all the commands available to use. Let's give it a try.


Let's do run ls -la  which will list all files, including hidden files, on the server.


Here we can see two files, "locks.txt" and "task.txt" in the current directory. Let's download them to our machine so we can read them. You can do this using the "get" command.


Let's look at the contents on our own machine in order to see if they hold any useful information.


From the contents of the two files it looks like we do in fact have something valuable on our hands. The first file appears to be a simple list of tasks by a specific person, "lin", and the second appears to be a list of credentials. If the first thing to come to mind isn't SSH bruteforcing, it should be. Let's spin up Hydra and see if we can't find the right pair.



And we got it! Hydra is a great tool to brute force SSH and FTP. There is also a Metasploit module that will do the exact same thing, but I prefer Hydra. Make sure to thoroughly read through Hydra's help list in order to make sure you're using the correct flags.

 Now, let's SSH into the target machine and see what we can find. 

As always, Linpeas is an option you can use if you would like to fully enumerate the host in order to find a potential privesc vector, but before you do that, it's good practice to simply run sudo -l in order to see if there are any additional permissions you might have right off the bat.


As we can see already right off the bat, we are able to run the tar utility as root. For anyone who has never used Linux or even heard of it, tar is an archiving utility, similar to zip in Windows. Now that we know that we have permissions to run tar as root, we could leverage this into spawning into a root shell. A great utility/website that is essentially a repository for Linux privilege escalation vectors for various Linux utilities and binaries is GTFOBins. Let's check to see if they have any entries on the tar utility.


A quick search shows that they do in fact have a tar entry, with an available command to run that should allow you to escalate privileges if you have the right permissions. Let's give it a try.


And boom. We're root. 

I found this CTF to be enjoyable but very simple even by my sub-novice skill-level self. As always I will plug TryHackMe as a great learning resource for anyone interested in offensive/defensive cybersecurity. 
A capybara with an interest in security.

Comments

Post a Comment

Popular posts from this blog

TryHackMe CTF Walkthrough - "Simple CTF"

Image
Note: This is a reupload of a CTF walkthrough from my original website which no longer exists. Tonight I'll be providing a writeup on the TryHackMe box "Simple CTF" similar to my writeup on Blue. TryHackMe is another great and incredibly educational site dedicated to teaching learners about offensive and defensive cybersecurity. As always, it's typical to start with a basic Nmap scan.  This is one of the typical Nmap scans that I like to run on TryHackMe and HacktheBox machines. It will take longer than most scans due to the enumeration being performed by the vulnerability script. Another I will typically run is - nmap -sC -sV -A x.x.x.x This is an aggressive service scan with default scripts enabled. Here we have quite a bit of output, the bulk of it being a list of CVE's for the specific version of Apache web server running on the target machine. As we can see, Port 21 (FTP), Port 80 (HTTP), and Port 2222 (SSH) are currently open on the target machine. We can al...
Read more

Malware Overview - ZeuS

Image
 Note: This is a reupload of my writeup of the history of the ZeuS malware from my original website. INTRODUCTION:  Image Source:  https://www.bankinfosecurity.com/zeus-banking-trojan-spawn-alive-kicking-a-10471 When discussing the history of malware, you are more than likely going to hear the same few names over and over again. Conficker, Welchia, ILOVEYOU, Stuxnet, Flame, CryptoLocker, Dridex, and even newer malware like WannaCrypt0r, Emotet, and Maze.  What is left behind but stands atop the lesser remembered malware of the last fifteen years in particular is the ZeuS or Zbot Trojan and its successor, the Gameover ZeuS Trojan. This will be a historical summary of the ZeuS and Gameover ZeuS Trojans, beginning from its initial discovery and ending in the current year.  I will be using a variety of sources for my analysis. This is NOT a technical analysis of the malware, simply a historical account. I plan on writing a full technical analysis of the ZeuS and Gam...
Read more

Group Overview - Evil Corp

Image
This will be my first post in a series of posts summarizing various cyber actors, including APTs, Cybercrime outfits, and Hacktivist groups. I will be mainly discussing the history of the group and their known and documented activities throughout their existence. I plan on making additional summaries of each group that will delve further into their TTPs and other technical information to compliment this summary. The first group I will be discussing is the Evil Corp cybercrime outfit. The group is also known to many by the name INDRIK SPIDER, which was coined by the Cybersecurity company CrowdStrike. I decided to write about the Evil Corp group first due to the fact that they are still very relevant in 2020, as just a few days ago, Symantec published a report discussing a widespread attempted ransomware attack against various U.S. companies carried out by the Evil Corp group earlier this month. Evil Corp is an extremely sophisticated threat actor. They are capable of developing their ow...
Read more