writeup

Bounty Hacker – a tryhackme.com writeup

Posted on by editor
01
Apr

This one is quite fun since it involves multiple services and als some local privilege escalation.

You can find it here at tryhackme.com

Lets start with a portscan as usual:

sudo nmap -A 10.10.127.129

 

Lets look at the FTP server first and see if we can log in as user anonymous

ftp 10.10.127.129

 

That went well. Lets get the two files and look into them.

get locks.txt
get tasks.txt

The files sound promissing – so lets look inside:

task.txt is just a note one first sight – but it reveals a username:

lin

locks.txt looks like a collection of passwords.

We know from the portscan earlier that an ssh server is running on our target.

So we will try hydra to ssh into our target using “lin” as the user and the passwords in locks.txt

hydra -l lin -P locks.txt ssh://10.10.127.129

Cool! That seemed to work. So the service we could bruteforce is

ssh

We found the password

RedDr4gonSynd1cat3

to be lin’s ssh password on our target.

Let’s ssh in and look around.

ssh -l lin 10.10.127.129

This brought us straight to lin’s desktop.

And there we found our first flag. So the user flag is

THM{CR1M3_SyNd1C4T3}

We expect the root flag to be in /root. But when we try this directory as user lin we  get the “permission denied” as expected. 

So let’s see if we can use sudo to get a step further.

sudo -l

So we can use tar as the user root. Let’s what we can achive with that.

 One URL that is very useful is

https://gtfobins.github.io/

 

Here we can look for a clever way to use tar in our favour.

So: what does that all mean?

Its pretty clever: we “create” a tar archive by reading from /dev/null and also writing to /dev/null – wich basically means nothing will be written on disc.

If tar reaches a checkpoint (meaning a certain amount of blocks have been written to /dev/null) it executes the command /bin/bash.

Since we can execute tar as root, tar in turn executes the command as root and we should get a root shell. Lets try

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

This is exactly how we wanted it. We are root now. So let’s look into root’s home directory and see if our last flag is there

cd /root
ls -la

 

So there it as: our last flag in the root.txt

THM{80UN7Y_h4cK3r}
editor

Leave a Reply

Your email address will not be published. Required fields are marked *