# Bounty Hacker

{% embed url="<https://tryhackme.com/room/cowboyhacker>" %}

## Enumeration

### nmap

```python
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 61 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.4.8.123
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgcwCtWTBLYfcPeyDkCNmq6mXb/qZExzWud7PuaWL38rUCUpDu6kvqKMLQRHX4H3vmnPE/YMkQIvmz4KUX4H/aXdw0sX5n9jrennTzkKb/zvqWNlT6zvJBWDDwjv5g9d34cMkE9fUlnn2gbczsmaK6Zo337F40ez1iwU0B39e5XOqhC37vJuqfej6c/C4o5FcYgRqktS/kdcbcm7FJ+fHH9xmUkiGIpvcJu+E4ZMtMQm4bFMTJ58bexLszN0rUn17d2K4+lHsITPVnIxdn9hSc3UomDrWWg+hWknWDcGpzXrQjCajO395PlZ0SBNDdN+B14E0m6lRY9GlyCD9hvwwB
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCu8L8U5da2RnlmmnGLtYtOy0Km3tMKLqm4dDG+CraYh7kgzgSVNdAjCOSfh3lIq9zdwajW+1q9kbbICVb07ZQ=
|   256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqmJn+c7Fx6s0k8SCxAJAoJB7pS/RRtWjkaeDftreFw
80/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
OS fingerprint not ideal because: maxTimingRatio (1.578000e+00) is greater than 1.4
Aggressive OS guesses: Linux 4.15 (94%), Linux 2.6.32 - 3.13 (93%), Linux 3.10 - 4.11 (91%), Android 9 - 10 (Linux 4.9 - 4.14) (90%), Linux 3.2 - 4.14 (90%), Linux 4.15 - 5.19 (90%), Linux 2.6.32 - 3.10 (90%), Linux 5.4 (89%), HP P2000 G3 NAS device (89%), Linux 5.0 - 5.14 (89%)
No exact OS matches for host (test conditions non-ideal).
```

### Web page(port80)

<figure><img src="/files/9IrJK5DCJGEH41ywNYM8" alt=""><figcaption></figcaption></figure>

## Enumeration

### Directory search (ffuf)

This time I want to use a different tool: **ffuf**

This tool is extremely useful and powerful to do some web discovery.

```bash
ffuf -u http://<ip>/FUZZ -c -w <wordlist_path>
```

<figure><img src="/files/M8BBnuwD1VfY6LwaU0YC" alt=""><figcaption></figcaption></figure>

we can basically see there’s really nothing

### ftp (port21)

```bash
21/tcp open  ftp     syn-ack ttl 61 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
```

Since nmap shows we can login as anonymous, let’s just try it

success! and now we can take a look at the files

In these files we can see there’s a username and a bunch of passwords, let’s take all of the creds we found and make 2 separate files

<figure><img src="/files/etgX8MBgCper4cuIsmtK" alt=""><figcaption></figcaption></figure>

I took all the username on the web page and the `task.txt` ones to make a `users` file, since we have no idea who we will be login as

And simply grab the passwordlist to our new file and start bruteforcing

### Hydra

We will be targeting ssh server

```bash
hydra -L <username_list_file> -P <wordlist_file> <target_ip> ssh -t 4
```

<figure><img src="/files/5l8PnlCU9dMWN6Sil3jA" alt=""><figcaption></figcaption></figure>

And we got the valid creds, now we can login the ssh server as lin

### SSH

After logging in we can try to do privilege escalation and the easiest one is `sudo -l`

We can see that this user can execute `/bin/tar`

We can find the payload on <https://gtfobins.github.io/> to get root privilege

#### Sudo (privilege escalation)

<figure><img src="/files/aga0tuXw0jYTfqLwNdNL" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/uqRdqES6OiuZVfkfON5Q" alt=""><figcaption></figcaption></figure>

Fingers crossed, and we are root now. You can now find all the flags.

<figure><img src="/files/t6IJP8siSlHc1Jl2qKWb" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://vix-w1zzer.gitbook.io/vixwizzer/walkthroughs/bounty-hacker.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.