TryHackMe – Bounty Hacker

by Posted on

Find open ports on the machine:

Kick off an nmap scan of all ports…

While that is running, lets explore in the browser…

Well, we know port 80 is open. Let’s kick off a scan with dirbuster using a small wordlist:

Poked around on these directories but nothing interesting. nmap results are back:

Open ports: 21, 22, 80

Who wrote the task list?

Not sure what the task list is or where it is but the next question talks about brute forcing a service so I figured I would try brute forcing SSH with hydra using rockyou.txt

Okay…that would take forever. I guess I’ll leave it up in the background while I try something else just in case.

After stumbling around a bit, I decided to check in on ftp but had to look up how to access it:

Viola! We found:

  • locks.txt
  • task.txt

Site was going really slow, had to shut down hydra to be able to get the files.

wget each file:

task.txt contents:

locks.txt content:

Locks.txt looks like a wordlist we can use to brute force ssh in the next section.

Task.txt also reveals that it was authored by:

lin

What service can you bruteforce with the text file found?

ssh

What is the user’s password?

hydra -l lin -P ./locks.txt 10.10.15.139 -t 4 ssh

Lin’s password is:

RedDr4gonSynd1cat3

User.txt

THM{CR1M3_SyNd1C4T3}

Root.txt

GTFObins shows an exploit for /bin/tar:

Try this out on victim machine:

Works like a charm!

Root.txt:

THM{80UN7Y_h4cK3r}

Published by jonartev