Bounty hacker Writeup

Thatquietkid
3 min readDec 22, 2020

--

So here we go, my first writeup :

First start with Nmap(network mapper):

nmap -A -T4 10.10.46.21 (you will have different IP)

and the results are:

From nmap results, I see there are 3 ports open

  1. ftp:21
  2. ssh:22
  3. HTTP:80

and ftp anonymous login is allowed .

Lets, ftp to the box:

I saw 2 files there :

  1. locks.txt
  2. task.txt

I used the get command to download both the files .

After opening task.txt , I saw some text from some user Lin

So, the answer to Question 1: Who wrote the task list ?

Ans) Lin

and in locks.txt there is a wordlist .

Q2:What service can you bruteforce with the text file found?

Ans) As there is ssh port open(port 22) , the answer to this question is SSH.

So, lets try bruteforcing password using the wordlist we found .

I m using hydra to bruteforce password .

Command: hydra -l lin -P /home/kali/locks.txt 10.10.46.21 -t 4 ssh

Q3:What is the users password?

Ans)RedDr4gonSynd1cat3

Now we know the user and password .

Lets, ssh to the machine:

Command : ssh lin@10.10.46.21

and type the password when asked .

Q4:user.txt ?

Ans) THM{CR!M3_SyNd1C4T3}

Now, all we have to do is to get the root flag and for that we have to do privilege escalation .

Type : sudo -l

This is to know the root permissions.

We found /bin/tar .

After googling this, I found :

The link:https://gtfobins.github.io/gtfobins/tar/

After running this one liner I got root.

So, now we have rooted this machine and answered all the questions .

Thanks for watching my blog . Have a nice day.

--

--