TryHackMe: Bounty Hacker

At first, I thought that this room might be a bit difficult though rated as Beginner (only on the basis of the name). Don’t know why but it gave me a feeling that it’ll be something really challenging. But I must say that this room is one of the easiest rooms on TryHackMe. And also, it does not even take time to solve!

So, let’s begin!

Initial Foothold

First of all, we need to deploy the machine and get the IP address. We can then visit the IP address and find an animated image and a conversation among 4 people.

We can check the source-code of the page as well but even there we won’t find anything that useful. So, we can get started with our usual nmap scan.

The results of the nmap scan for OS and port detection:

From this result, we can simply count the number of open ports and use it as the answer to the second question.

From the list of open ports, we can see that FTP is running at port 21. Along with that, it is also mentioned that anonymous login is allowed. So, without even a second thought we must check what all data is accessible via FTP.

Once connected via FTP as anonymous, we can see that there are two files namely tasks.txt and locks.txt. We can download both of them on our local machine using the mget command.

The question asks about ‘who wrote the task list?’ and the answer to that can be found in the file tasks.txt.

We have found two files but tasks.txt does not contain any data that can be used for brute-forcing but the file locks.txt does contain a number of strings that appear to be different permutations of a password. Also, we can see from the nmap scan that on port 22 a service is running. So, we can use this file to brute-force the password required to access that service as we know the username as well.

We can use hydra to brute-force the password for the specific service open on port 22.

So, now with the help of hydra, we know the password as well.

Now that we know both the username and password, we can simply log in to the user’s account via SSH.

Once, logged in we can read the user.txt file and get our required flag.

For this task, we can first check which commands can our user run with sudo privileges. This can be done as:

It can be seen that the user can run the command /bin/tar with root privileges. So, we can now look for GTFOBins for this command. Over there we can find one command to get an interactive system shell:

We can copy and paste this command in our SSH session along with sudo at the beginning so that the command executes as root.

With this, we got the root flag as well and we solved the box!

Some Key Points to Take Away

Just keep your eyes open and look at everything you have access to!

Do check out my other work and write-ups on GitHub at https://github.com/0xNirvana

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store