This is another guide for a free CTF challenge on the website TryHackMe. I personally really like this site and if you’re interested in pentesting, this site is another great resource!
On to the challenge!
Not only is this challenge relatively easy, it is Cowboy Bebop themed! So double the fun for me!
After deploying the machine, we need to find all of the open ports. We can do this using nmap.
nmap -sS -sV -Pn <ip address>
We got 3 ports open: FTP, SSH, and HTTP.
If we take a quick look at the IP through the browser, we get our mission objective where upon success, we are rewarded with Jet’s famous bell pepper and beef dish! Beyond that, there is nothing worth noting but it is not a bad habit to run a dirbuster or dirsearch on the IP address or checking the source code.
Let’s see if we can use an anonymous login on FTP. Connecting to the IP address through FTP and sign in with the username “anonymous” and no password.
Awesome! Use the ls command and see that there are two files. Download them to your machine with the get command. Exit out of the FTP session and take a look at the task.txt file.
Now we know who wrote the task list!
The file locks.txt looks like a bunch of possible passwords. One could say it looks like a wordlist. Perfect for trying to brute force our way into the machine using hydra!
hydra -l <username> -P locks.txt <ip_address> -t 4 <protocol>
Because the next few commands include flags, there’s going to be a lot of masking. However, if you know which port your trying to brute force, you’ll get the password and you can login.
Now we got the user flag! Time to get the coveted root flag!
Unfortunately, the user we login as is not in the sudo group. So let’s try sudo -l and see if our user is in the sudoers file at all.
Ignoring all of the masking, we see that our user can use the tar command as root! But how can we use this command to get our flag?
A website that is great for helping us figure out how to exploit the tar command is GTFOBins. This site has an extensive list of linux commands that can be used to escalate privileges and if we search for tar, we see we can get access to a shell. Let’s modify the command a little to skip the shell and go straight to that root flag.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec="/bin/cat /root/root.txt"
And there we have it! Turn in the root flag and go enjoy some of that bell pepper and beef!