TryHackMe Bounty Hacker Official Walkthrough

DarkSec
19 Mar 202110:25

Summary

TLDRIn this video, Dark demonstrates how to complete the 'Bounty Hacker' room on TryHackMe, aimed at beginners. The video walks through key steps, including scanning the machine with Nmap, finding usernames, and using brute force to crack passwords. Dark also highlights the importance of using different usernames and passwords across services for security. Once the user gains access, Dark escalates privileges using sudo and the tar binary to root, capturing the root flag. The video provides a clear, guided example of beginner-level exploitation and emphasizes security best practices.

Takeaways

  • 😀 The video demonstrates a beginner-friendly walkthrough of the 'Bounty Hacker' room on TryHackMe.
  • 😀 The objective of the room is to prove one's skills and claim the status of an elite bounty hacker by exploiting vulnerabilities.
  • 😀 The initial steps involve scanning the target machine using Nmap for open ports and services.
  • 😀 Port 80 was found to be running a web service, revealing anime-themed characters that hint at usernames for further exploration.
  • 😀 A text file (users.txt) was created to store discovered usernames, including 'Ed', 'Fey', 'Spike', 'Jet', and 'Lin'.
  • 😀 Nmap revealed FTP, SSH, and HTTP services open on the target machine, with FTP being the next focus for investigation.
  • 😀 FTP anonymous login was successful, allowing the user to download files from the server, including a password dictionary.
  • 😀 The password dictionary (locks.txt) was used in a brute force attack against SSH using Hydra, leading to the discovery of valid credentials.
  • 😀 The discovered SSH credentials ('Lin' and 'red dragon syndicate' password) were used to log in to the target machine.
  • 😀 After gaining access to the user account, sudo permissions were checked, revealing that the 'tar' command could be run as root, leading to privilege escalation.
  • 😀 The 'tar' command exploit was successfully used to spawn a root shell, allowing the user to access the root.txt file and complete the room.

Q & A

  • What is the primary goal of the 'Bounty Hacker' room on TryHackMe?

    -The goal of the 'Bounty Hacker' room is to help users practice and develop their skills in ethical hacking by using small pieces of information to gain access to a system. The room is designed for beginners.

  • Why does the instructor emphasize the importance of gathering small pieces of information?

    -The instructor highlights that small, seemingly abstract bits of information can be pivotal in finding vulnerabilities and gaining system access, which is a key part of ethical hacking and penetration testing.

  • What tool does the instructor use to scan the target machine, and what flags are used in the scan?

    -The instructor uses Nmap to scan the machine. The flags used are '-sv' for service version enumeration and '-p-' to scan all ports.

  • What anime characters are mentioned in the room’s web page, and what is their significance?

    -The anime characters mentioned on the webpage are Spike, Jet, Ed, Faye, and Ein from the anime 'Cowboy Bebop.' These characters are likely references to usernames, which may help in the exploitation process.

  • What does the instructor do after discovering the usernames on the web page?

    -After discovering the usernames, the instructor saves them to a text file called 'users.txt' to potentially use them later in brute-force attacks or other exploitation methods.

  • How does the instructor access the FTP service, and what happens after the connection is established?

    -The instructor attempts to log in to the FTP service using the 'anonymous' user. Once connected, they download all files from the FTP directory using the 'mget' command and begin reviewing the contents.

  • What is the purpose of the 'locks.txt' file discovered on the system?

    -'locks.txt' contains a password dictionary that is used for brute-forcing passwords for SSH access. The dictionary is likely themed for the room.

  • What method does the instructor use to brute-force SSH access?

    -The instructor uses Hydra to brute-force SSH access, specifying the 'users.txt' for usernames and 'locks.txt' for passwords to attempt login to the target machine.

  • What is the significance of the password 'red dragon syndicate' discovered in the brute-force process?

    -The password 'red dragon syndicate' is the correct password for the user 'lin.' This password is found using the Hydra brute-force attack and is used to gain SSH access to the machine.

  • How does the instructor escalate to root privileges, and what tool is used?

    -The instructor escalates to root privileges by checking if the user 'lin' can run certain commands with 'sudo.' After discovering they can run the 'tar' command as root, they use GTFOBins to exploit 'tar' and spawn a root shell.

Outlines

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Mindmap

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Keywords

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Highlights

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Transcripts

plate

This section is available to paid users only. Please upgrade to access this part.

Upgrade Now

Browse More Related Video

Como iniciar na calistenia em seu quarto para iniciantes (sem equipamento)

The Easiest Way to Make a Simple Enemy AI in Unreal Engine 5

Belajar IPA | Usaha Kelas 8 SMP/MTs #Usaha #Fisika

🎓 The Real Path to Becoming a Certified Ethical Hacker in 2024: Is CEH Worth It?

Belajar Aspen Hysys Dasar #1 (Untuk Pemula)

Easy IDOR hunting with Autorize? (GIVEAWAY)

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
TryHackMeBounty HackerCTFEthical HackingNmapHydraPrivilege EscalationBeginner HackingCybersecuritySSH Brute ForceGTFOBins