TryHackMe: Bounty Hacker

Tools and Commands Used to Solve This Room.

• Deploy the machine.
  [Completed]
• Find open ports on the machine.
  * Zenmap.

• Who wrote the task list?
  * access FTP
  * ls-la to list directories
  * get files. (download)
  * cat files (read) and answer found.

• What service can you brute force with the text file found?
  * Zenmap.

• What is the users password?
  * access HTTP <ip>
  — check source page (nothing found)
  — Multiple user names found.
  — create a list with all names found and save it.
  — file named “locks.txt” downloaded from FTP, use as a password file.

* Bruteforce SSH using Hydra.

* User Logon name and password found.

• user.txt?
  * login “lin” using ssh.
  * ls -la = listing directories.
  * cat = to read file.

• root.txt?
  * privilege escalation.
  * sudo -l = the -l (list) option will list the allowed (and forbidden) commands for the invoking user.
  * Checking GTFOBins for sudo commands.
  * Run the found command from GTFO.
  * cd (change) directory and cat (read) “root.txt” file.

tar | GTFOBins

GTFOBins