Bounty Hacker (Try Hack Me)
I am currently in the process of completing these boxes on Try Hack Me again in an effort to document my experience, reinforce my knowledge of the topics, and improve my ability to concisely communicate the pentest lifecycle.
Note: The target IP address may change throughout the writeup as I complete the room over a period of time.
Title: Bounty Hacker
Description: You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!
First things first as always, start off with an nmap scan to enumerate the services on the target.
From the version information for the SSH and Apache services in the nmap scan results, the target is an Ubuntu OS. There are a total of three open ports from our scan of the top 1000 ports:
- 21 (FTP)
- 22 (SSH)
- 80 (HTTP)
The ftp-anon NSE script indicates that anonymous FTP login is enabled.. Connecting to the server and listing the files shows there’s two files present:
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
The first file, task.txt, contains two tasks which may be important but doesn’t provide much information other than the fact that it was written by lin which could be a potential username for further FTP or SSH access.
The second file, lock.txt, may be a password list which could be used in combination with the username, lin, to brute force those services.
Let’s first check out the HTTP site. The initial page contains some various quotes from Cowboy Bebop, an anime.
There’s no information leaked in the source code, no robots.txt file, and no results in the directory enumeration scan.
Let’s approach the SSH service with the data that we found from the FTP server.
As an initial check, no information was leaked in the banner when trying to connect. With the potential username, lin, and the password file, let’s use Hydra to brute force the SSH service.
Success! We can conncet to the target machine through the SSH service with the credentials
In the users home directory, the user.txt flag is available for us!
Checking for the sudo privileges of lin since we have his password, he is able to run the /bin/tar binary as root.
Fortunately, gtfobins has an incredibly simple example of abusing this to attain a privileged shell 1.
There we go! We have successfully attained a root shell. The above command is attempting to create a tar archive into /dev/null with content from /dev/null and at every checkpoint (1 file), it executes the /bin/bash binary as root which is how we escalated our privileges.
Last step is just find the root flag /root.
This room was not as difficult as some of the other Easy rated rooms that I have come across on THM but it was a good opportunity to try other vectors instead of getting stuck on one.
The HTTP server had nothing to do with the killchain for this target but it commonly is in these CTF style rooms.
Lastly, the manipulation of the tar command is an interesting method to escalate your privileges.
- Authenticate anonymously to the FTP server to find a password list and a potential username.
- Brute-force the SSH server with the username and password list to obtain an initial foothold.
- Escalate privileges through the tar binary which lin is allowed to execute as root.
- Anonymous authentication should not have been enabled for the FTP service.
- Sensitive information was leaked on the FTP server.
- To prevent brute-force attempts to the SSH service, password authentication should be disabled and private key authentication should have been enabled.
- The user, lin, should not have had the privileges to run tar as sudo.
Summary of exploits
IF tar has sudo privileges, obtain a root shell by:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
This will attempt to compress the contents of /dev/null into /dev/null but executing an action at each checkpoint. The action will load a Bash interpreter with the privileges of the root user.
Things I Learned
- Escalating privileges by abusing the SUDO privileges for the tar binary.