Skip to main content
HashnodeThe Grey Lens

Command Palette

Search for a command to run...

Day-02: TryHackme [Bounty Hacker] room Walkthrough

Updated
3 min read
Day-02: TryHackme [Bounty Hacker] room Walkthrough
A
Adbin Magar
"Welcome to 1he Grey Lens. In a world saturated with digital noise, my mission is to provide a lens of clarity. 'Grey' represents the complex space between black-hat and white-hat hacking the world of ethical security research and deep-dive investigation. This blog is my lens, focusing on the critical details, deconstructing complex systems, and bringing the intricate world of cybersecurity into sharp focus."

Hi! This is Day 2 of my CTF daily challenge walkthrough. I am Adbin Magar the researcher behind TheGreyLens. Join me as I tackle the 'Bounty Hacker' CTF room on TryHackMe.

Question 1: Deploy the machine
Answer: No Answer Needed

Question 2: Find open ports on the machine

Here, I used my go-to tools Nmap to scan the target with also intention to find the open ports.

Answer: No Answer Needed

Question 3: Who wrote the task list?

In Nmap there was FTP service open so putting in mind that first always check default I try FTP anonymous login which was successful. After using ls command it show me two file locks.txt and task.txt which i downloaded in my attacker machine.

After downloading both file I use cat command in task.txt file in where lin was the author name.

Answer: lin

Question 4: What service can you bruteforce with the text file found?

Answer: SSH

Question 5: What is the users password?

I already downloaded locks.txt file . So, when reading the file I get to know that it is wordlist of the password so having lin as user I use hydra tool to bruteforce lin password.

hydra -l lin -P locks.txt ssh://10.48.186.52 -t 4 -V

Answer: RedDr4gonSynd1cat3

Question 6: user.txt

Lets recall from our Nmap scan that the target had an SSH service running. So, using the credentials discovered during the brute-force attack, I successfully authenticated as the user lin. Once logged in, I ran the ls command which shows that there is user.txt file. I then read its contents to retrieve the flag.

Answer: THM{CR1M3_SyNd1C4T3}

Question 7: root.txt

To obtain the root.txt flag, I began by checking the current user's sudo capabilities with sudo -l. This revealed that the user lin has permission to run /bin/tar as the root user, which is a clear vector for privilege escalation.

Referencing the GTFOBins which is my goto site for privelege escalation.

https://gtfobins.org/gtfobins/tar/#shell

I followed the instructions found in the GTFOBins tar shell section to construct a command that escalates privileges to root as following:

sudo /bin/tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Answer: THM{80UN7Y_h4cK3r}

🎯 Day 2 Mission Accomplished

Flag captured! That concludes Day 2 of my daily CTF journey. Today was a great learning experience. I hope you learned something too. See you on Day 3.

Happy hacking! :)

#bounty-hacker#ctf-writeup#walkthrough#tryhackme-walkthrough#cybersecurity

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

T

The Grey Lens

6 posts