Enumeration

Nmap scan shows us that ssh and ftp are running.

‍

‍

Getting the first flag

Connect to the machine via ftp and list the files using “dir”, we see two files which we can download by using “get”.

‍

‍

Back on our attackbox, we can start examining the files. task.txt’s author is “lin”.

‍

‍

Now to the juicy part, brute-forcing ssh using Hydra and the “locks.txt” file we got via ftp.

‍

‍

Great, now we can login to the machine via ssh using the information we have.

First flag is in “user.txt”.

‍

‍

Getting the last flag

Checking with “sudo -l”, we see that we can use tar.. interesting.

‍

‍

Time for privilege escalation!

A simple google search for “gtfobins tar privesc” gives us this command which will spawn a shell for us.

‍

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

‍

And sure enough, we are root!

The last flag is in “/root/root.txt”.

‍

An easy-rated Windows box involving default credentials for initial access into Apache Tomcat, and creating an application with a JSP webshell to obtain code execution as SYSTEM.

A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.

An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.

TryHackMe — Bounty Hacker Writeup

“You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!”

Enumeration

Getting the first flag

Getting the last flag