TryHackMe write-up: Bounty Hacker

Introduction

This is my write-up for TryHackMe’s Bounty Hacker Room.

Enumeration

Using nmap, I saw that this box is running FTP, SSH and HTTP.

FTP allows anonymous access. Looking inside, I find 2 files.

Downloading and checking the files, I see that one of them look like a password list.

The 2nd file, contains a list of things to do. The writer of the list might be a user.

Exploitation

Running hydra using the password list found at the FTP, I was able to get the SSH credentials.

Connecting via SSH, I was able to verify the above credentials.

Privilege Escalation

Checking for sudo privileges, I found that I could user tar for privilege escalation.

Checking GTFOBins, I can run something like:

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh

Trying something similar to that above out, I was able to gain root access.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store