The skills to be tested and needed to solve this room are: Linux, tar, privesc, and security.
Shout-out to @Sevuhl for creating this room. Visit https://tryhackme.com and create an account for free to take advantage of this great learning platform.
I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.
There are 7 questions to complete the room:
- Deploy the machine.
- No answer needed
- Find open ports on the machine.
- No answer needed
- Who wrote the task list?
- What service can you bruteforce with the text file found?
- What is the user’s password?
- Deploy the machine
2. Find open ports on the machine
- I was assigned a victim machine’s IP address of 10.10.47.185. Used nmap to scan the target machine for open ports. Scanned the machine by running the command: sudo nmap -sC -sV -O -oA bounty 10.10.47.185
- sudo – we have to run the nmap scan with root privileges because “TCP/IP fingerprinting (for OS scan) requires root privileges.”
- -sC – to scan using the default nmap scripts
- -sV – to pull version information of open ports found during the scan
- -O – to find out the target’s operating system
- -oA bounty – to save the results of the scan to a file named “bounty” and saved in three different formats (normal, XML, and grepable)
3. Who wrote the task list?
- The first interesting information from the nmap scan result is “anonymous” login is allowed through FTP protocol. We can do this by connecting using: ftp 10.10.47.185
- When prompted to enter a username/name, use: anonymous
- Now, let’s see what is on the FTP server while logged in as anonymous
- Download both files by using the get command. get task.txt and get locks.txt
- Open task.txt to obtain the answer on who wrote the task list by using cat command. cat task.txt
4. What service can you bruteforce with the text file found?
- Looking at the nmap scan result we have above, the only other service that we can bruteforce is S**
- Time to bruteforce the service. We don’t know which user to use because there was no clue found on the nmap results, but we can try and use the author of the file task.txt. The next challenge is which password list are we going to use? It is easy to just go ahead and use rockyou.txt, but if you remember we found another file on the FTP server called locks.txt. Let’s check what is inside the file before we start bruteforcing. We can look what’s inside the file by issuing cat locks.txt
5. What is the user’s password?
- Let’s bruteforce the service that is the answer to question 4 using the answer to question 3 as the username and the file locks.txt for the password list with the tool Hydra. hydra -l l** -P locks.txt 10.10.47.185 s**
- Login to the service referred on question 4 with the username and password we found on question 5.
- List what files we see and open user.txt if we find it
- Simple checks first, let’s see if have the permission to change directory to root
- Now, we have to do privilege escalation. We can find out if user l** have any sudo permissions by using sudo -l.
- Let’s check our best friend GTFOBIns by going to https://gtfobins.github.io
- Now we are going to do a privilege escalation by typing: sudo tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=/bin/sh
- Retrieve the root.txt by doing cat root.txt
- We have completed this room! Hope you enjoyed it!