Bounty Hunter

Writeup by isko3k

https://tryhackme.com/room/cowboyhacker

You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!

Living up to the title

Join the room – Start the machine – Launch the attackbox/connect via OpenVPN

Attacking

Starting of with our nmap scan of our target we can see 3 open ports

21 ftp

22 ssh

80 http

Instantly noticing the anonymous login for the ftp server I attempt to login to find any further information about our target

After connecting to the ftp server via anonymous i do a little sniffing and see two files in the home directory, after some downloading troubles I can now see what the file contents are

Locks.txt looks like a wordlist with a bunch of variations of Red, Dragon & Syndicate combined together into a password, this will be useful

Cat.txt didn’t give us much information, but what it does give us is someone’s name, lin

Putting it all together with the SSH port open, a potential username and what looks like a wordlist, I attempt to brute force the SSH login

And successfully brute forcing the SSH login of the user lin

And the user.txt flag

Now to get root I first checked what privileges the user lin had

Noticing the user lin could run /bin/tar as sudo – I moved over to GTFOBins

GTFOBins shows a privilege escalation technique for users who can run /tar as sudo

Using the escalation to maneuver my way to root was successful

I search for the root.txt file and found it in the /root directory

That’s it, or is it

Noticing the box was also running an apache server I had to check out the site and run a quick gobuster scan

The homepage was a bit funky – with some cartoons explaining to me to gain root access to the system, and if I was lucky I’d get some bell pepper and beef… interesting.

Besides this there was nothing of interest found

Our gobuster scan was also a deadend – leading us to the /images directory the contained the homepage image

Writeup by isko3k

CTF by Sevuhl

isko3k