Open in app

Sign in

Write

Sign in

Santosh Kumbhar
4 min readFeb 1, 2022

--

TryHackMe Walkthrough- Bounty Hacker: CTF

Disclaimer: This article is for educational purposes only, do not attempt to hack into anyone’s devices without prior consent from the person you are hacking, and only use this information for ethical purposes. Also, don’t hack into the IP’s shown in the article, since you need VPN access to see them and it always changes.

The best way to learn ethical hacking is to practice. But it is really hard to find somebody willing to give you consent for you to hack them. That’s where Capture the Flag(CTF) companies come into play, these companies(such as TryHackMe) allow you to legally practice ethical hacking on their machines. In this article, I will walk you through hacking Bounty Hacker CTF on TryHackMe.

Scanning and Enumeration

The first thing I always do is run a network scan with Nmap, so I can get a sense of the network structure/architecture, information = power.

nmap -A -T4 -v [IP]
  • A = Get device information
  • -T4 = Runs faster
  • -v = print out while scanning

Nmap scan results

I see that FTP is open for anonymous access. FTP is the File Transfer Protocol, which helps people transfer files.

Nmap scan showing anonymous access allowed

So I did more enumeration on FTP, by logging into it(Username = anonymous, password = anonymous)

ftp [ip]

Logging into FTP and getting files

I first did an ls to see if there’s anything in the directory. I saw locks.txt and task.txt. I then use the get command to bring them onto my local desktop.

I first open the task.txt

cat task.txt

Reading task.txt

We now have an idea of what a possible username might be. I then open locks.txt

cat locks.txt

Reading locks.txt

It looks like we have a possible list of passwords.

Exploit

Now we can try password spraying the ssh login since we have a username and a list of passwords.

hydra -l lin -P locks.txt [ip] ssh

Password spraying ssh

It was successful, and now we have a password and username to log in to ssh.

ssh lin@[ip]

Logging in through ssh

We now have low-level access to the machine

Privilege escalation

The first thing I do when I want to escalate my privileges checks the sudo permissions(ie: what can I run as root)

sudo -l

Finding what we can run as root

I see we can run tar as root, so we can go to GTFObins to find an escalation technique.

Finding tar commands on GTFObins

Run the command

Running the tar escalation technique

And now we have root access

Finding out who we are

Congratulations, you have rooted the machine. Thanks for reading this CTF walkthrough, and remember to only use this information for ethical purposes.

--

--

Santosh Kumbhar

Written by Santosh Kumbhar

18 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams