Hey folks, after some time, I’m back with another TryHackMe walkthrough. This fundamental box focuses on essential penetration testing knowledge and Linux privilege escalation techniques. The name of this box is called “Bounty Hacker”. First, we have to connect to the lab environment by connecting to the Open VPN. If you don’t know to set up OpenVPN configuration you can guide the following tryhackme room.

• Information gathering
• Enumeration
• Exploitation (Initial Access)
• Post Exploitation (Privilege Escalation)

Information Gathering

By looking at the Robots.txt file we can identify the running backend server which is Apache/2.4.18.

Next, we’ll perform a nmap scan to find the open ports and running services on the target.

sudo nmap -p- -A -T4 -sV 10.10.198.119

• p- — To perform the full port scan
• -A — To run the aggressive scan
• -sV — To enumerate and detect the services and versions

By looking at the results of the nmap, we can observe the port 21/ftp is allowed.

Enumeration

We can check whether the FTP anonymous login is allowed on the target. Try the following command and provide the username and password as anonymous:anonymous

ftp 10.10.198.119

We can see the server is accepting the anonymous login and we can log into. After logging in, we can have the two files named get locks.txt and get task.txt . By looking at the locks.txt we are found some interesting strings that may be more similar to some passwords.

Exploitation (Initial Access)

Since I found some interesting strings (more similar to the passwords), I instantly performed the SSH credential brute force attack to find out the username of the SSH login.

hydra -s 22 -v -V -l lin -P locks.txt -t 8 10.10.198.119 ssh

After the successful brute force attempt, we able to find out the SSH user name as lin.

This credentials allowed us to obtain the initial access to the server via SSH.

Post Exploitation (Privilege Escalation)

After accessed the server, I tried to find out the information and version that were installed. We can use the below commands to perfrom it.

cat /etc/*-release

cat /etc/os-release

cat /proc/version

Next, we can run the sudo -l command to checked the logged-in user (lin) able to perfrom any tasks related to root privileges.

As we can see in the above snippet, the user “lin” can run them /bin/tarwith root privileges.

sudo tar xf /dev/null -I ‘/bin/sh -c “sh <&2 1>&2”’

GTFOBins has more interesting information related to the privilege escalation techniques, you can also refer to that blog.

That’s all for today and will meet you for the next article.

Signup and start your cyber security learning from TryHackMe today while saving $5:

Link for TryHackMe Registration👏: Click Here

You can find me on😊:

Linkedin: www.linkedin.com/in/sudeepashiranthaka

Medium: https://sudeepashiranthaka97.medium.com/

Twitter: https://twitter.com/sudeepashiran97

Buy me a coffee☕ and support🙌: