THM: Bounty Hacker

Like always: a quick nmap scan

IP=10.10.61.63
nmap -sV -sC -oN nmap.initial $IP

That informs us of three open ports:

• [ ] 21: ftp, allowing for anonymous login
• [ ] 22: ssh
• [ ] 80: http, an apache web server

After putting on a complete port scan to see if our initial scan missed anything, we visit the website.

nmap -p- -oN nmap.full -T4 $IP

First things first, after visiting the website it looks like its a simple static website, comprised of just one html page, in which Avatar (the airbender) characters seem to be assigning the task of getting into the target system to us. Nothing is hidden in the html.

Gobuster also did not reveal any promising files.

gobuster dir -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -u http://10.10.61.63

Using the standard command we can visit the ftp server as anonymous.

If performing any commands returns:

530 Please login with USER and PASS.

make sure that you did not actually press Enter when logging in because that would make you enter as root and thereby not be authenticated on the server. Not proud of that :P.

Running ls there we gain knowledge of two files:

• locks.txt, which turns out to be a wordlist, hinting at a possible bruteforce attack on the ssh server
• task.txt, containing two Avatar-related (?) tasks, and giving a small flag

Trying our luck with the wordlist found above, eventually gives us the password for the user lin

hydra -l lin -P locks.txt ssh://$IP -t 1

At this point we have successfully gained access to the target machine, and by visiting lin’s Desktop, we get the first actual flag.

Just running sudo -l shows that we can run /bin/tar as root.

Obviously, we go to GTFObins and following the steps we get root privileges in no time:

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

It was a nice room, arguably a wrong choice for me, but a good place to start I suppose, covering a little bit of the basics.