TryHackMe Bounty Hacker Writeup

This is a writeup for Bounty Hacker room.

My target IP: 10.10.228.252

Bounty Hacker

Nmap

Lets scan out target and check for open ports.

nmap results

3 ports are open.

Gobuster

Seems like website does not have much unusual stuff.

gobuster results

Website Inspection

There is not much going on with the website and images directory. I checked the page source and it was clean.

website

FTP

We can try if FTP allows us to login anonymously.

ftp login

We managed to login successfully. I found 2 files and transferred them to my machine.

ftp transfers

Locks file contains some passwords and there is a task file that contains one of the questions answer which is the name of the writer.

task.txt

locks.txt

SSH

We can try bruteforcing ssh. I assume the username is the one we found in the task.txt.

hydra -l USERNAME -P locks.txt 10.10.228.252 ssh

ssh bruteforce

We have the password. Now lets login.

ssh login

User Flag

I will search for the user flag. This time it was at our directory but you can go to / directory and use “find -name user.txt” command.

user flag

Root Flag

First I will start by checking what commands we can run.

We can run /bin/tar. I will check gtfobins for possible exploits.

tar | GTFOBins

I will try this one:

    sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

gtfobins exploit

It worked and now we have root acces. Now we can get the root flag.

root flag