Enumeration

Nmap scan shows us that ssh and ftp are running.

‍

‍

Getting the first flag

Connect to the machine via ftp and list the files using “dir”, we see two files which we can download by using “get”.

‍

‍

Back on our attackbox, we can start examining the files. task.txt’s author is “lin”.

‍

‍

Now to the juicy part, brute-forcing ssh using Hydra and the “locks.txt” file we got via ftp.

‍

‍

Great, now we can login to the machine via ssh using the information we have.

First flag is in “user.txt”.

‍

‍

Getting the last flag

Checking with “sudo -l”, we see that we can use tar.. interesting.

‍

‍

Time for privilege escalation!

A simple google search for “gtfobins tar privesc” gives us this command which will spawn a shell for us.

‍

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

‍

And sure enough, we are root!

The last flag is in “/root/root.txt”.

‍

The target is compromised via Remote Code Execution (RCE) in CuteNews v2.1.2 through a vulnerable avatar upload feature. Privilege escalation is achieved by abusing SUID permissions on /usr/sbin/hping3, enabling root-level command execution.

This lab demonstrates the exploitation of a misconfigured SMB share and scheduled cron jobs to achieve remote code execution. By uploading malicious files to an open SMB share, the attacker leverages a cron job to execute them. Privilege escalation is accomplished through a misconfigured SUID binary, zsh, which provides root access.

TryHackMe — Bounty Hacker Writeup

“You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!”

Enumeration

Getting the first flag

Getting the last flag