This is my write-up for TryHackMe’s Bounty Hacker Room.
Using nmap, I saw that this box is running FTP, SSH and HTTP.
FTP allows anonymous access. Looking inside, I find 2 files.
Downloading and checking the files, I see that one of them look like a password list.
The 2nd file, contains a list of things to do. The writer of the list might be a user.
Running hydra using the password list found at the FTP, I was able to get the SSH credentials.
Connecting via SSH, I was able to verify the above credentials.
Checking for sudo privileges, I found that I could user tar for privilege escalation.
Checking GTFOBins, I can run something like:
sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
Trying something similar to that above out, I was able to gain root access.