TryHackMe | Bounty Hacker Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “Bounty Hacker” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
In these set of tasks we’ll learn the following:
-Service Enumeration
-Brute Forcing
-Privilege Escalation
Deploy the machine
Q1: Deploy the machine.
A1: No answer needed
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Q2: Find open ports on the machine
A2: No answer needed
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -A -T4 -p- 10.10.211.98-A : Enable OS detection, version detection, script scanning and traceroute.
-T4 : Set timing template (higher is faster).
-p- : You can specify “-p-” to scan ports from 1 through 65535.
We can see ports 21, 22, 80 are open. Firstly, let’s look at what is running on port 80.
At first glance, it looks like an ordinary web page. Spike, Jet, Ed and Faye talk about our mission. We don’t have time to talk guys. Next!
Q3: Who wrote the task list?
A3: ***
When I examined the nmap scan result, something caught my attention. Did you see it too? Yes, we can connect to ftp as anonymous and maybe find something interesting there. Let’s try!
Let’s transfer these files to our machines using the get command.
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an application layer protocol.
A password file? So for what?
It looks like a task list from ***.
We have a username and a list of passwords. It can be useful for us. But what can we do using this information? I guess we think the same thing. Do you remember the ssh port was open? Once we find ***’s password, we can connect via SSH. We can use hydra for this.
Q4: What service can you bruteforce with the text file found?
A4: SSH
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another.
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.
Q5: What is the users password?
A5: ******************
Hydra is a parallelized login cracker which supports numerous protocols to attack.
hydra -l <Login_Name> -P <wordlist> 10.10.211.98 ssh-l : Login with LOGIN name.
-P : Load several passwords from FILE.
[machine IP] : The IP address of the target machine.
ssh / protocol : Sets the protocol.
Perfect! *** uses a complex password. Who cares?
Q6: user.txt
A6: ********************
Let’s connect using ***’s credentials!
Congratulations! You found the first flag.
Q7: root.txt
A7: ******************
Is it over? Of course not.. But I can feel we are getting close to the end. We need privileged access to the system.
sudo -l : The -l (list) option will print out the commands allowed (and forbidden) the user on the current host.
Let’s research using the information the system gives us.
I think you should take note of this site. Because here you can find the privilege escalation commands.
A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system.
That’s it! Let’s get the flag and get out of here.
Congratulations! You found the second flag.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://www.techtarget.com/searchnetworking/definition/File-Transfer-Protocol-FTP
https://www.ssh.com/academy/ssh/protocol
https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
https://www.kali.org/tools/hydra
https://www.crowdstrike.com/cybersecurity-101/privilege-escalation
