Bounty Hacker CTF | Walkthrough

This is a Walkthrough for the Bounty Hacker Capture The Flag TryHackMe room. The writeup is meant to offer short and concise solutions by using a bigger font and titling as “Task Number”, but also offering an extended explanation as subheaders for those interested in finding out more about the solution to a specific task.

Task 1: Deploy the Machine

  1. Click the “Start Machine” button.

Task 2: Find Open Ports on the Machine

Let's use the network scanning tool nmap for this.

  1. nmap -sV MACHINE_IP

We find three services: FTP, SSH, and a Web Server.

2.1: Scanning the web server

I wanted to see if there was something of interest on the web server.

The index only shows a screencap and some text from the Sunrise's Cowboy Bebop show (it is a Cowboy Bebop-themed Room, after all), but nothing else. I tried enumerating the website's directories with gobuster to see if there was something of interest, but there was nothing out of the ordinary.

Task 3: Who wrote the task list?

There is no mention of a task list anywhere at first sight, but there is apparently an open FTP server.

  1. Access the FTP server by running ftp MACHINE_IP

We can only log in with an anonymous user, so the next step is:

  1. Connect to the FTP server and input “anonymous” as the username.

  2. List the contents of the current directory with the dir FTP command.

We see two files, including the task.txt file. Let us download them to our machine.

  1. Download both files by using the get FTP command. get task.txt and the same for locks.txt, just in case we need it in the future.

  2. Read the contents of the downloaded file. The file can be found in the directory from which the terminal was running when we started the FTP session. We can just click on them or use the cat command. cat task.txt

Solution: The author of the task list is

lin

3.1 The locks.txt file

To satisfy our curiosity, let's check what the locks.txt file contained:

cat locks.txt

If you looked at it, then you know: it could be assumed that we are looking at a list of passwords (in plaintext!). Other way of saying this is that we found a wordlist.

Task 4: What service can you bruteforce with the text file found?

This refers to the locks file, which we examined in the previous task. Knowing the open ports and knowing the contents of locks.txt:

Solution: The service we can bruteforce is

SSH

Task 5: What is the users password?

There are several ways to brute-force a SSH password. We will use the Hydra tool in this instance.

  1. Brute-force lin's SSH password with Hydra: hydra -l lin -P /path/to/locks.txt MACHINE_IP ssh Be sure to change the path to locks.txt to the corresponding one on your machine.

The wordlist is quite short, so it won't take long until it finds lin's current password.

We now have access to the target machine.

Task 6: user.txt

  1. Connect to the target machine with lin's user and password (obtained on the previous step):

    ssh lin@MACHINE_IP

  2. Use the ls command to list the contents of lin's Desktop directory

We will find a users.txt file. Read it with cat and you will find the flag.

Task 7: root.txt

We can't change to /root/ because lin does not have the permissions to do so.

  1. Check what commands lin can run as root. There is more than one way to do this, the simplest one is:

    sudo -l -l

    It will ask us to input lin's password (which we know). Seems that lin can run /bin/tar as root user.

  2. Find a way to escalate privileges using tar. GTFObins is a good source for this. I used the following command:

    sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

    This allowed me to run a shell as the root user.

  3. Change your directory to /root/ and list the contents. We will find the root.txt file, which contains the final flag.

Congratulations! The room is finished.

7.1 GTFOBins

If you want to investigate a bit more, when a /bin/ file appears as a result of the first command, look for the “Sudo” section on its specific GTFOBin. For more, it has a collection of commands that can be used to escalate privileges, transfer files, and break out of shells, among other things.

How it could have been avoided

There were several vulnerabilities we took advantage of in this machine. Let us list them and give one solution to each: – Do not have sensitive ports open, or filter them: it is better to open ports only when needed. Even better, have them filtered – if the FTP or SSH port only allowed trusted IP addresses to connect to it, we would not have been able to use it like we did. – Do not allow anonymous connection to FTP servers: if the machine contains sensitive files and the port is open. This is how we exfiltrated lin's password. – Do not store passwords in plaintext: this is CRUCIAL! lin had stored the passwords in plaintext. No matter how strong they were, thanks to this, we were able to use them as a wordlist and connect to the FTP and SSH servers. Only store passwords in a secure hash format, and salted. – Do not allow unprivileged users to run files as root: this misconfiguration is how we escalated privileges. If something absolutely needed to be executed by unprivileged users with elevated privileges, add a policy to the /etc/sudoers.d/ directory, so at least, in case of an incident, the user who executed a malicious command will be logged, instead of being logged as “root.”