CTF Walkthroughs, TryHackMe

TryHackMe – Bounty Hacker Walkthrough

July 24, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a very easy Linux machine that involved bruteforcing user credentials via SSH to gain initial access and exploiting the Tar binary with Sudo permissions enabled to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified three open ports: port 21 (FTP), port 22 (SSH) and port 80 (HTTP). The next step will be to start enumerating FTP and HTTP.

Enumerating FTP

The FTP server has anonymous authentication enabled, upon connecting to the server it reveals two text files, downloading them both:

The locks.txt file appears to contain a list of words, potentially a list of passwords:

Since the first text file was signed by “lin”, this could be a valid user on the machine. Using hydra to brute-force the password, using the following flags:

  • -f to stop the attack when a valid password is found
  • -l to specify the username for the brute-force attack
  • -P to specify the wordlist to use for the bruteforce attack
  • the service and target to brute force

Hydra has successfully identified a valid password for the “lin” user. Authenticating as lin via SSH:

Privilege Escalation

When executing sudo -l, it appears that the lin user can execute Tar as root:

Upon consulting GTFOBins, it appears tar can be exploited when running as sudo. Tar has an argument called –checkpoint, which allows to display a “progress” message every time X number of files have been archived. This can be used in concatenation with the –checkpoint-action flag, which allows to execute an action, in form of a binary or script, whenever a checkpoint is reached.

Executing Tar with the required flags, instructing it to run /bin/sh once the checkpoint is reached:

Upon executing the command, a root-level shell is obtained.

Conclusion

This machine would not be particularly challenging to any seasoned pentesters although it would be great for students that are approaching this world and want to learn the basics in a controlled environment such as TryHackMe.