Introduction
It looks like our bragging brought the attention of Spike Spiegal and his crew, the TryHackMe: Bounty Hacker. They need us to hack and gain root in this system no questions asked. With some enumeration and an anonymous FTP account, we can crack the SSH passphrase to become a user on the system and exploit tar to escalate our privileges to root.
Information Gathering
Like any other challenge, I want to get the lay of the land. We are looking for any open ports and what kind of services they are running.
Nice! It looks like they left an anonymous account enabled on their FTP server.
These files look interesting: locks.txt
and task.txt
. I will just go ahead and download that onto my system and give them a read.
Score! This file looks like it contains passwords. Not sure which is the right one but let us check out the task.txt
for further clues.
Now, if you have never seen the show there is some context to the message. Vicious, the main antagonist in Cowboy Bebop and Red Eye, is an illegal performance-enhancing drug. Lin is one of Vicious’s henchmen and I would be willing to bet that he was the one that set up this server.
Going back to our Nmap scan, we can see that SSH is running on the machine. Using a tool like Hydra, we can use the passwords found in locks.txt
and brute force our way into Lin’s account.
And just like that, we have Lin’s login information!
Exploitation
The user.txt
flag is found immediately in lin’s home directory. The last thing we need to do is escalate our privileges and read the root.txt
flag.
Post Exploitation
Sudo -l
allows us to list the allowed commands the user can invoke with root privileges.
The tar
command is used to compress a group of files into an archive. Let’s check out GTFObins to see if there are any commands we can leverage to our advantage.
There is a couple of things going on in this command. First, tar is creating an archived file at /dev/null. Since it is running in super user do, spawning a bash shell at checkpoint 1 makes it possible to escalate our privileges to root.
And there you have it! The root.txt
flag file is easy to find in the root directory.
Conclusion
In conclusion, this TryHackMe room earns its easy badge. Enumeration and privilege escalation was pretty straightforward and a piece of cake for this braggadocious hacker.