TryHackMe: Cowboy Hacker Walkthrough
This lab focused on exploiting misconfigured FTP to gain SSH access to a machine. From there, we could privilege escalate to gain root access.
The lab can be found on the TryHackMe website: https://tryhackme.com/room/cowboyhacker
Once the machine deployed, I ran nmap to discover any open ports on the machine, along with any services using the -sV
flag.
nmap -sV 10.10.185.15
From this, we were able to see FTP, SSH, and HTTP ports are open. First, I browsed to the website, which appeared to just be static content.
In order to enumerate further, I ran gobuster on the machine and only found the /images
directory, which did not give any further access.
I checked out the FTP port and discovered anonymous login was allowed and two files were listed: “task.txt” and “locks.txt”
I downloaded the two files to my machine, which allowed me to get the first flag of “who wrote the task list?” by viewing the “task.txt” file. Additionally, the locks.txt file looks like a potential list of passwords.
Now that I have a potential username and potential list of passwords, I tried to brute force the SSH service using Hydra.
hydra -l <name> -P locks.txt 10.10.185.15 ssh
In a fairly short time, I had a successful username and password:
I used this username and password to log into SSH, which granted me the user.txt flag:
Now, this user does not have access to root.txt. We will need to escalate our privileges.
I used the command sudo -l
to list the commands that our current user can run as a privileged user.
Using https://gtfobins.github.io/, I was able to discover that it is possible to spawn a shell as root with the following command
sudo /bin/tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Now we have a root shell, we just need to find the root.txt file and cat it out.
CTF complete!