{"id":14,"date":"2025-03-26T16:38:40","date_gmt":"2025-03-26T15:38:40","guid":{"rendered":"https:\/\/fromkiddietorobot.fr\/?p=14"},"modified":"2025-03-27T19:34:32","modified_gmt":"2025-03-27T18:34:32","slug":"bounty-hacker","status":"publish","type":"post","link":"https:\/\/fromkiddietorobot.fr\/index.php\/2025\/03\/26\/bounty-hacker\/","title":{"rendered":"Bounty Hacker"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><a href=\"https:\/\/tryhackme.com\/room\/cowboyhacker\">https:\/\/tryhackme.com\/room\/cowboyhacker<\/a><\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!&#8221;<\/p>\n<\/blockquote>\n\n\n\n<p>Voil\u00e0 mon writeup pour cette machine sur Tryhackme.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phase de reconnaissance<\/h2>\n\n\n\n<p>Nmap sans options pour une premi\u00e8re d\u00e9couverte:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image.png?w=585\" alt=\"\" class=\"wp-image-62\"\/><\/figure>\n\n\n\n<p>Apr\u00e8s avoir fait ce nmap assez basique, j&#8217;aime bien ajouter le script par d\u00e9faut ainsi que le script de d\u00e9couverte de versions pour avoir plus d&#8217;informations sur les ports ouverts de la machine:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-1.png?w=863\" alt=\"\" class=\"wp-image-64\"\/><\/figure>\n\n\n\n<p>On peut voir que dans la liste des services, on y retrouve le FTP avec l&#8217;authentification anonyme activ\u00e9e ce qui pourrait constituer une premi\u00e8re piste d&#8217;exploitation, nous pourrons essayer cela. On voit ici que l&#8217;adresse IP h\u00e9berge un site Internet, voyons ce qu&#8217;il contient.<\/p>\n\n\n\n<p>Il s&#8217;agit d&#8217;un simple site avec une image et du texte (un dialogue sur le th\u00e8me du CTF \u00e0 savoir Cowboy Bebop), le voici:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Spike:&#8221;..Oh look you&#8217;re finally up. It&#8217;s about time, 3 more minutes and you were going out with the garbage.&#8221;<\/li>\n\n\n\n<li>Jet:&#8221;Now you told Spike here you can hack any computer in the system. We&#8217;d let Ed do it but we need her working on something else and you were getting real bold in that bar back there. Now take a look around and see if you can get that root the system and don&#8217;t ask any questions you know you don&#8217;t need the answer to, if you&#8217;re lucky I&#8217;ll even make you some bell peppers and beef.&#8221;<\/li>\n\n\n\n<li>Ed:&#8221;I&#8217;m Ed. You should have access to the device they are talking about on your computer. Edward and Ein will be on the main deck if you need us!&#8221;<\/li>\n\n\n\n<li>Faye:&#8221;..hmph..&#8221;<\/li>\n<\/ul>\n\n\n\n<p>Nous pouvons essayer de voir si le site contient des dossiers cach\u00e9s qui pourraient nous \u00eatre utiles pour la phase d&#8217;exploitation:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-2.png?w=913\" alt=\"\" class=\"wp-image-69\"\/><\/figure>\n\n\n\n<p>Il n&#8217;y a donc rien \u00e0 exploiter rapidement sur le site web.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phase d&#8217;exploitation<\/h2>\n\n\n\n<p>Testons l&#8217;authentification sur le FTP:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-3.png?w=397\" alt=\"\" class=\"wp-image-71\"\/><\/figure>\n\n\n\n<p>La connexion s&#8217;est bien effectu\u00e9e. On peut maintenant essayer de trouver des informations utiles \u00e0 la compl\u00e9tion de ce CTF.<br>On peut voir deux fichiers lisibles sur le serveur que nous allons r\u00e9cup\u00e9rer sur notre machine attaquante pour les analyser:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-4.png?w=600\" alt=\"\" class=\"wp-image-73\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-5.png?w=591\" alt=\"\" class=\"wp-image-75\"\/><\/figure>\n\n\n\n<p>Contenu task.txt &amp; locks.txt :<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-9d6595d7 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-8.png?w=387\" alt=\"\" class=\"wp-image-81\"\/><\/figure>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-10.png?w=226\" alt=\"\" class=\"wp-image-83\"\/><\/figure>\n<\/div>\n<\/div>\n\n\n\n<p>Nous avons donc des t\u00e2ches \u00e0 effectuer \u00e9crites par une certaines &#8220;lin&#8221; et une liste que l&#8217;on peut consid\u00e9rer comme \u00e9tant un dictionnaire de mot de passe.<br>A ce stade, avec le nom &#8220;lin&#8221;, qui pourrait \u00eatre un nom d&#8217;utilisateur et une liste de mot de passe on peut essayer de brute-forcer le service SSH.<br>Pour cela on va se servir d&#8217;un outil surprise qui nous servira plus tard (la ref \u00e0 Mickey l\u00e0 haha), qui est nul autre qu&#8217;Hydra.<\/p>\n\n\n\n<p>En quelques secondes, nous trouvons le mot de passe SSH du compte &#8220;lin&#8221;, essayons la connexion :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-11.png?w=941\" alt=\"\" class=\"wp-image-87\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-12.png?w=713\" alt=\"\" class=\"wp-image-89\"\/><\/figure>\n\n\n\n<p>On obtient gr\u00e2ce \u00e0 \u00e7a notre premier flag THM{CR1M3_SyNd1C4T3}.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-13.png?w=375\" alt=\"\" class=\"wp-image-91\"\/><\/figure>\n\n\n\n<p>Maintenant que nous avons notre acc\u00e8s utilisateur \u00e0 la machine, nous pouvons passer \u00e0 la prochaine phase, l&#8217;\u00e9l\u00e9vation de privil\u00e8ges.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phase d&#8217;\u00e9l\u00e9vation de privil\u00e8ges<\/h2>\n\n\n\n<p>Je commence par voir la liste des commandes que l&#8217;utilisateur peut lancer en tant que sudo <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-14.png?w=836\" alt=\"\" class=\"wp-image-93\"\/><\/figure>\n\n\n\n<p>Essayons de voir si la commande tar peut \u00eatre exploit\u00e9e pour une \u00e9l\u00e9vation de privil\u00e8ges sur GTFOBins (la bible de l&#8217;\u00e9l\u00e9vation de privil\u00e8ges selon moi):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/gtfobins.github.io\/gtfobins\/tar\/\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-15.png?w=934\" alt=\"\" class=\"wp-image-95\"\/><\/a><\/figure>\n\n\n\n<p>Pile ce dont nous avons besoin, essayons la commande :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-16.png?w=912\" alt=\"\" class=\"wp-image-97\"\/><\/figure>\n\n\n\n<p>Et voil\u00e0, nous sommes pass\u00e9s en utilisateur root (utilisateur privil\u00e9gi\u00e9). Cherchons notre dernier flag:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-17.png?w=184\" alt=\"\" class=\"wp-image-99\"\/><\/figure>\n\n\n\n<p>Voil\u00e0, la box a bien \u00e9t\u00e9 pawn.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/kiddierobot.wordpress.com\/wp-content\/uploads\/2025\/03\/image-18.png?w=867\" alt=\"\" class=\"wp-image-101\" style=\"width:914px;height:auto\"\/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u00ab You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker! \u00bb<\/p>\n","protected":false},"author":3,"featured_media":99,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-14","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts\/14","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/comments?post=14"}],"version-history":[{"count":2,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts\/14\/revisions"}],"predecessor-version":[{"id":98,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/posts\/14\/revisions\/98"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/media\/99"}],"wp:attachment":[{"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/media?parent=14"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/categories?post=14"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fromkiddietorobot.fr\/index.php\/wp-json\/wp\/v2\/tags?post=14"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}