Bounty Hacker is a beginner level room in Tryhackme. The objective is to get the user and the root flag.
| Author | Sevuhl |
| Description | You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!. |
Deploy the VM and lets go.
Enumeration
Let’s start with a nmap scan.
From the nmap scan we can see that ftp Anonymous login is enabled. I checked the http service and couldn’t find anything useful. So, Login to the ftp server.
Found two text files. Download it using the command get file-name.
After reading the files I concluded that locks.txt is a wordlist and the username is lin.
User flag
Let’s use what we found to bruteforce ssh using hydra.
hydra -l lin -P locks.txt ip-addr ssh
With the username and password in hand, let’s login to ssh.
Boom!! We got the user flag.
Root flag
I used sudo -l to see if there are any files that can be run as root.
I searched gtfobins for tar and got this.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Run the command to get the root shell. The root flag is there in the /root dir.
Thats it folks. Happy hacking!!!