THM Series #3 Bounty Hacker

Another easy box from Try Hack Me. The CTF can be accessed here. Let’s start the journey.

The first step of the approach is to enumerate the open services on the asset. The nmap detected 3 ports to be open on the asset. Port 21, 22 and 80.

Nmap Output

I tried logging into the FTP service using the anonymous account and surprisingly, I went through. There were two text files available which I fetched using the get command.

FTP Login Attempt
Fetching Files from FTP directory

Upon investigating the fetched files, I found a note from a user in the text.txt file and a password dump in the locks.txt

FTP File Contents

Since port 22 is open and we have a kind of password dump available with us, I tried Hydra to brute force the SSH login to identify if we have any password match. Fortunately, Hydra was able to login successfully with one of the passwords from the dump.

Hydra Brute Forcing

Based on the identified credentials, I logged in through SSH protocol. The user flag was present in the room folder. The sudo -l indicated that the user can run /bin/tar .

User Flag

I referred to a guide present here to use /bin/tar to escalate privilege. The command can be interpreted as : [cf: Creates a new .tar archive file & File name type of the archive file], [/dev/null black hole to discard whatever being written], [Checkpoint help us to execute actions, checkpoint=1 is for scheduling 1st record and action indicate to execute shell]. Bingo!!! This gave an elevated shell and was able to find the root flag.

Root Flag

This was a very easy box on a rating scale and took less than an hour to crack. Attempting the FTP path gave a straight path. I too tried to do directory brute forcing but nothing interesting was there.

See you soon with another writeup!!

Plagiarism Score: 0% Calculated fromĀ SmallSEOTools

Up ↑

%d bloggers like this: