TryHackMe | Bounty Hacker Walkthrough

Hi, this is my first article on Medium, and it’s time to look at Bounty Hacker-Walkthrough. I am making these walkthroughs to keep myself motivated to learn cybersecurity and ensure that I remember the knowledge gained by THM. Join me on my journey on THM. I will explain the concepts to the best of my knowledge and yes it’s not even been a month since I started learning about cybersecurity.

Room URL: https://tryhackme.com/room/vulnversity

Task 1 (Deploy the Machine)

Deploy the machine using OpenVPN.

Task 2 (Find open ports on the machine)

Task 2 is a part of the Reconnaissance meaning we need to know about the machine using the given IP. We will do our recon using a tool called Nmap.

Here, I have provided a link to the Nmap cheat sheet, which may be useful.

So we begin by scanning for open ports. I like to run a basic Nmap scan which looks like this:

nmap -sC -sV -T4 -p- <Target_IP>

We can see that there are 3 open ports that were discovered using Nmap

Answer: No answer is needed

Task 3 (Who wrote the task list?)

Since we can see that there is an FTP service running on port 21, we can try connecting to FTP using an anonymous login which does not require a password.

We use the command:

ftp 10.10.84.183

Name: anonymous

After this, we can turn off the passive mode using:

passive

Now, we can list the contents using:

ls

We use the command:

mget *

Which is basically used to download all the files that are listed in our system.

After logging out of the FTP service we can view the contents of the task.txt file using:

cat task.txt

Answer: lin

Task 3 (What service can you bruteforce with the text file found?)

Using the Nmap scan we can see that SSH service is open on port 22, which can be brute-forced.

Answer: ssh

Task 3 (What is the user’s password?)

Using FTP, we retrieved two files and one of them was locks.txt which may contain a list of passwords.

We use a famous tool called Hydra which is used to brute — force passwords given a list of either usernames and passwords.

You can find more on Hydra using the link.

We can use the following command to brute-force ssh:

hydra -l lin -P locks.txt ssh://10.10.84.183

Here, we can see the password is RedDr4gonSynd1cat3

Answer: RedDr4gonSynd1cat3

Now we may use SSH to log in using the newly found credentials:

ssh lin@10.10.84.183

Password: RedDr4gonSynd1cat3

Task 5 (user.txt)

To get this flag is pretty easy you just need to cat out the user.txt file

Answer: THM{CR1M3_SyNd1C4T3}

Task 6 (root.txt)

Here we can use a basic Linux privilege escalation technique using GTFOBins.

First, we see what commands can be run using sudo by our user lin using:

sudo -l

We can see that /bin/tar can be run. Now we use GTFOBins to see if we can escalate to the root user using the tar command.

Finally, we run the command and escalate to the root user.

Now we just need to cd to our root directory where we find root.txt file which contains our flag.

Answer: THM{80UN7Y_h4cK3r}

We are done, I hope I cleared your doubts. This room is deemed as easy but since I am just starting I had to do basic research on privilege escalation techniques. With the help of this room, we can learn to brute-force using Hydra and also learn about FTP and SSH. Hopefully, I was helpful.