TryHackMe Walkthrough- Bounty Hacker: CTF
Disclaimer: This article is for educational purposes only, do not attempt to hack into anyone’s devices without prior consent from the person you are hacking, and only use this information for ethical purposes. Also, don’t hack into the IP’s shown in the article, since you need VPN access to see them and it always changes.
The best way to learn ethical hacking is to practice. But it is really hard to find somebody willing to give you consent for you to hack them. That’s where Capture the Flag(CTF) companies come into play, these companies(such as TryHackMe) allow you to legally practice ethical hacking on their machines. In this article, I will walk you through hacking Bounty Hacker CTF on TryHackMe.
Scanning and Enumeration
The first thing I always do is run a network scan with Nmap, so I can get a sense of the network structure/architecture, information = power.
nmap -A -T4 -v [IP]
- A = Get device information
- -T4 = Runs faster
- -v = print out while scanning
Nmap scan results
I see that FTP is open for anonymous access. FTP is the File Transfer Protocol, which helps people transfer files.
Nmap scan showing anonymous access allowed
So I did more enumeration on FTP, by logging into it(Username = anonymous, password = anonymous)
ftp [ip]
Logging into FTP and getting files
I first did an ls to see if there’s anything in the directory. I saw locks.txt and task.txt. I then use the get command to bring them onto my local desktop.
I first open the task.txt
cat task.txt
Reading task.txt
We now have an idea of what a possible username might be. I then open locks.txt
cat locks.txt
Reading locks.txt
It looks like we have a possible list of passwords.
Exploit
Now we can try password spraying the ssh login since we have a username and a list of passwords.
hydra -l lin -P locks.txt [ip] ssh
Password spraying ssh
It was successful, and now we have a password and username to log in to ssh.
ssh lin@[ip]
Logging in through ssh
We now have low-level access to the machine
Privilege escalation
The first thing I do when I want to escalate my privileges checks the sudo permissions(ie: what can I run as root)
sudo -l
Finding what we can run as root
I see we can run tar as root, so we can go to GTFObins to find an escalation technique.
Finding tar commands on GTFObins
Run the command
Running the tar escalation technique
And now we have root access
Finding out who we are
Congratulations, you have rooted the machine. Thanks for reading this CTF walkthrough, and remember to only use this information for ethical purposes.