TryHackMe: Bounty Hacker

Tools and Commands Used to Solve This Room.

  • Deploy the machine.
  • Who wrote the task list?
    * access FTP
    * ls-la to list directories
    * get files. (download)
    * cat files (read) and answer found.
  • What service can you brute force with the text file found?
    * Zenmap.
  • What is the users password?
    * access HTTP <ip>
    — check source page (nothing found)
    — Multiple user names found.
    — create a list with all names found and save it.
    — file named “locks.txt” downloaded from FTP, use as a password file.

* Bruteforce SSH using Hydra.

* User Logon name and password found.

  • user.txt?
    * login “lin” using ssh.
    * ls -la = listing directories.
    * cat = to read file.
  • root.txt?
    privilege escalation.
    * sudo -l = the -l (list) option will list the allowed (and forbidden) commands for the invoking user.
    * Checking GTFOBins for sudo commands.
    * Run the found command from GTFO.
    * cd (change) directory and cat (read) “root.txt” file.

Sana Qazi is a Technical Writer specialized in Information Security. She is a writer by day and a reader by night.