exploit quest

TryHackMe: Bounty Hacker CTF

8 minutes

TryHackMe’s Bounty Hacker CTF room is targeted towards beginners and entails the basics of network enumeration, FTP, SSH, brute-force attacks, and privilege escalation.

We’ll begin by starting up our machine, the IP of which will be referenced to as [IP] from here on. You can now either use the dedicated attack box provided by TryHackMe or you can use your own machine running Kali Linux and connect to the network via their VPN.

Note: Some answers and flags will not be directly mentioned to encourage attempting the CTF on your own.

Network enumeration

The room starts by asking us to find open ports on the machine. We can achieve this by using the nmap tool which can be used to perform network discovery.

We can use the tool by running the following command: nmap -sV [IP]

Note: The -sV flag tells nmap to probe the open ports to try and gather service/version information (this can come in use later to determine whether a vulnerable version of the service is being used so we can attempt to exploit it).

The results from nmap are as follows:

21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Here we’re able to see 3 open ports on the machine, it is important to note down these services for later as they could all be possible attack vectors.

HTTP service

Let’s start with the easiest service to access, the http server running on port 80. To access this we can simply open up a browser and navigate to the IP address of the machine.

After navigating to the webpage, we’re presented with an image and a transcript of a short conversation pertaining to the scenario of the CTF. There seems to be no valuable information or hints here so we can move on to the next service which was listed by nmap.

FTP service

The room now asks us, “who wrote the task list?” We’re not informed of which task list it is talking about so we can look at the hint for a clue on where to look. The hint mentions the FTP service we found earlier using nmap.

FTP, or more specifically vsftpd, is a service that allows us to access and transfer remote files on a server. Using this service, we can look for files on the FTP server and see if they contain any important information.

Using the command ftp [IP], we can access the FTP server and attempt to log in. When we attempt this we are prompted for a username. Entering an arbitrary username will reveal that the server has been configured in anonymous mode, meaning we can connect to it anonymously without the need for authentication.

To connect to the server anonymously, we can run the following command: ftp -a [IP]

Note: The -a flag instructs the FTP command to bypass the normal login procedure and use an anonymous login instead.

Now we will be presented with an FTP prompt allowing us to enter commands and navigate the file system accessible by the FTP server. We can begin by running the ls command to list files.

We’re presented with the following two files: locks.txt and task.txt

If we look back to the question, we are asked who created the task list. To attempt to answer this we can view the file using the command more task.txt and see if it contains any indication as to who created it.

After running the command, we can see the contents of the file displayed in the prompt. At the end of the file, there is a signature letting us know that “lin” created the file.

Finally, we can use more locks.txt to view the contents of the second file. The contents seem to be a list of passwords and could be of potential use in the future, so we can download that for later using the command: get locks.txt

Note: Using the command will save the file in the directory from which you executed the FTP command.

“Entering Extended Passive Mode” problem

When trying to run a command such as ls, you may run into a problem where you receive the following message and the prompt begins to hang indefinitely.

229 Entering Extended Passive Mode (|||26205|)

I’ve found that you can easily fix this by first returning to the original FTP prompt by pressing CTRL+C to cancel the current operation then typing the following two commands:

passive off
epsv4 off

The FTP commands should then resume working as normal.

SSH service

Next, we are asked which service we can brute-force using the locks.txt file we found. As we have already explored both the FTP and HTTP services, the only other service left from our nmap scan is the SSH service.

SSH allows us to remotely access a machine using a set of credentials. In our case, we have a list of potential passwords and a name which we found earlier - “lin”. We could manually check to see which password is correct but that would take a long time and would not be a viable option if we had a long list of passwords.

To access the machine via SSH, we’ll need to guess which password is the correct one. For this, we can use a brute-force tool called hydra. We’ll begin by running the following command: hydra -l lin -P locks.txt ssh://[IP]

Note: The -l flag specifies a username whilst the -P (capital P) flag allows us to specify a word list file to brute-force the password. Finally, we end the command by specifying the protocol as well as the IP to attack, in our case the protocol is ssh://

Not long after running the command, we can see hydra output the correct password. We can enter this password as the answer to the next question and then proceed to login to the machine via SSH using the following command: ssh lin@[IP]

We will then be prompted for a password and we can simply paste in the password we found using hydra.

Note: If you are asked whether you are sure you want to keep connecting, simply input yes

Now we can look around the file system for the flag to answer our next question. The question asks us to find a file named user.txt. To do so we can start by checking the current directory to see if it contains the file using the command ls.

Once we’ve listed the files, we can see that the user.txt file is indeed in our current directory, and we can use the command cat user.txt to view the contents of the file and reveal the flag. We can now input that flag as our answer to the question.

Privilege escalation

The final question asks us for the flag contained in a file named root.txt. It can be assumed that this file will be located in the /root directory (you can also attempt to use the find command). However, using the cd /root command to navigate there reveals that we do not have permission to access the directory.

This is where privilege escalation comes into play, and we have to discover a vulnerability or misconfiguration which allows us to escalate our privileges and access that file as root.

One of the most basic checks we can do is to run the command sudo -l to list commands we can execute using root privilege. If prompted for a password, simply enter the password we found earlier using hydra.

The output of the command lets us know that we can run the /bin/tar command with root privilege. The tar command is used to make compressed archives, similar to .zip files.

We can use this command in many ways to access the root.txt file. For example, we could create an archive of the whole /root directory and output it to our home directory where we could then unarchive it and view the contents, we could also use it to create a shell with root privileges.

We can use the following command to create a shell with root privileges via tar: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

You may be prompted for a password again, simply enter the password from before.

Note: This command was found on GTFOBins.

After running the command we should be presented with a shell that has root privileges. Now we can use the change directory command to navigate to the root folder: cd /root

Once we are in the root folder, we can list the files with ls and we’ll find the root.txt file. To display the flag, we can simply run cat root.txt.

Finally, we can answer the final question using the flag and complete the Bounty Hacker CTF room. :]