Writeups

Bounty Hacker CTF - THM Easy Box

• nmap scan: here

• Open Ports:

    21 ==> ftp
    22 ==> ssh
    80 ==> http
  

• nikto scan at the http.

    Nothing Found
  

• gobuster scan:

    Nothing interesting found
  

• Checked FTP and tried to search in the exploit-db for the exploit of the version, tried some scripts but didn’t work.

• Checked FTP server with Name: anonymous

• Logged into the ftp server and found locks.txt & task.txt

• Downloaded the files and found that locks.txt was a username/password file

• Used hydra to attck the ssh of the machine
  
  Bruteforcing
  .
  .
  .
  .
  .

• Failed! Why? Because used the username and password for the same file.
• cat the task.txt and found the username lin at the end.
• Instead used lin as user and VOILA got the password as Click Me!
• ssh into the machine by ssh [email protected] and password as mentioned above

• found the user.txt

  #### Privilege Escalation

• Got the commands that the user can run as sudo by sudo -l and found to be /bin/tar
• Got the sudo script from GTFOBins/Tar and escalated the privileges to sudoer.
• Got root.txt from /root/