This is a writeup for Bounty Hacker room.
My target IP: 10.10.228.252
NMAP
Lets scan out target and check for open ports.
3 ports are open.
GOBUSTER
Seems like website does not have much unusual stuff.
WEBSITE INSPECTION
There is not much going on with the website and images directory. I checked the page source and it was clean.
FTP
We can try if FTP allows us to login anonymously.
We managed to login successfully. I found 2 files and transferred them to my machine.
Locks file contains some passwords and there is a task file that contains one of the questions answer which is the name of the writer.
SSH
We can try bruteforcing ssh. I assume the username is the one we found in the task.txt.
hydra -l USERNAME -P locks.txt 10.10.228.252 ssh
We have the password. Now lets login.
USER FLAG
I will search for the user flag. This time it was at our directory but you can go to / directory and use “find -name user.txt” command.
ROOT FLAG
First I will start by checking what commands we can run.
We can run /bin/tar. I will check gtfobins for possible exploits.
I will try this one:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
It worked and now we have root acces. Now we can get the root flag.