🌊 TryHackMe | Bounty Hacker: Full Writeup Simplified
Room: Bounty Hacker
As usual, TryHackMe rooms tend to start with deployment and probing open ports on the machine. It's of course, syempre diba, good habit for us to always start with this to find what's actually there to exploit.
To accomplish this, we simply go to the Terminal and enter the following:
nmap -sV -sC 10.10.35.232
NSE stands for NMAP Scripting Engine. -sC scans the IP with default NSE Scripts. It's considered useful and safe. Specially, if you compare it to flags like -A that enables aggressive mode that's detectable.
From the results here, we actually discover that FTP login is allowed and that the username is Anonymous. Nakita na natin and exploit. We can use this.
room: bounty hacker
Port 21 for command.
Port 20 for data.
From our previous probe, we found that FTP is a service that's open. Here it reads ftp-anon: Anonymous that suggests the username for it.
From here, we can FTP into the IP address and log-in. Once we're in the terminal, we go list all directories via ls -a.
Let's download these files using the command 'get'.
P.S. we can specify a file location directly via 'get task.txt downloads'
Now that it's downloaded, we should be able to find it and simply display via 'cat' command.
cat is short-hand for concatenate 😊
This was the result for locks.txt
This was the result for task.txt
It returned not found so I tried to concatenate /root/locks.txt to ensure that I've got the correct directory. It did return the expected text so it confused me initially but it just occured to me that I must've been using the incorrect user. The username wasn't Anonymous, it was the lin that was found from Tasks.txt
With this Standard Stream chart in mind, let's look into the anatomy of the command:
find / -name "root.txt" 2>/dev/null
'find' searches for the file. '/' then tells the terminal to look for it everywhere. The -name flag tells the terminal that "hey, let's find the this specific filename. 2 refers to a descriptor that always returns a stderror like the chart above. We only need the stdout displayed so we throw away stderror via 2>/dev/null
Comments
Post a Comment