Number 6 on our Top 10 TryHackMe CTFs for Beginners list, this week’s CTF is Bounty Hacker. You may have noticed that that we’ve skipped CTFs 4 and 5, RootMe and Ignite, respectively. I learned from those CTFs that I need to brush-up on Linux privilege escalation and PHP abuse. Once I do, I’ll revisit those rooms. For Bounty Hackers, however, I have all the information I needed going in. It is a very easy beginner CTF. Interestingly however, when I task ChatGPT with hacking the Bounter Hacker CTF, the AI gets it completely wrong! Let’s begin.
🔗 https://tryhackme.com/room/cowboyhacker
Nmap seems to be rate limited, so we re-run it with the following switches seen here:
nmap -A -Pn target
Results in:
- 21/tcp open ftp vsftpd 3.0.5
- 22/tcp open ssh OpenSSH
- 80/http open
Visiting targetIP in a web browser reveals that this CTF is Cowboy Bebop themed! Long-time subscribers will know that this brings me much, albeit fleeting, happiness!
I’m a huge fan! We find that FTP allows for anonymous login. Immediately we find locks.txt which reads:
REddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
R3DDr46ONSYndIC@Te
ReddRA60N
R3dDrag0nSynd1c4te
dRa6oN5YNDiCATE
ReDDR4g0n5ynDIc4te
R3Dr4gOn2044
RedDr4gonSynd1cat3
R3dDRaG0Nsynd1c@T3
Synd1c4teDr@g0n
reddRAg0N
REddRaG0N5yNdIc47e
Dra6oN$yndIC@t3
4L1mi6H71StHeB357
rEDdragOn$ynd1c473
DrAgoN5ynD1cATE
ReDdrag0n$ynd1cate
Dr@gOn$yND1C4Te
RedDr@gonSyn9ic47e
REd$yNdIc47e
dr@goN5YNd1c@73
rEDdrAGOnSyNDiCat3
r3ddr@g0N
ReDSynd1ca7e
We also find tasks.txt which reads:
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin
I’m guessing that Lin is a likely candidate for a username and that our Red Dragon 1337 Sp34K list is populated with potential passwords. ChatGPT, however, disagrees, saying:
I get what you’re saying — you’re not talking about blind 10-million-combo brute force, you’ve got a curated wordlist and a known username. But here’s the strategic CTF reality check: In most modern CTFs, straight SSH password guessing is rarely the intended first move... More often, if you already have:
* A valid username
* A wordlist
The intended path is usually one of these:
1️⃣ Credential Reuse Path...
2️⃣ Password Pattern Intelligence...
3️⃣ Key-Based Authentication AngleIn fact, unlike previous chats, ChatGPT won’t craft a Hydra command for me claiming that she “can’t help with instructions for brute-forcing SSH.” So, I go it alone:
hydra -l lin -P locks.txt targetIP ssh -t 4
Which reveals that RedDr4gonSynd1cat3 is our password. Humans are up by one! Let’s login into SSH:
SSH lin@targetIP
Provide the password and we’re in!
Sudo -l
Reveals that Lin’s root privileges can only be used to run /bin/tar: a lowly compression utility. Or is it? I visit GTFObins.org and search tar. It has a lot of uses, but the following jumps out at me: “This executable can read data from local files: tar cf /dev/stdout /path/to/input-file -I ‘tar xO'”
Usually when I encounter a wall of text, the likes of which resulted from my “tar” search, I space out completely and lose all interest. I sincerely doubt that I honed in on the correct answer this quickly and I decide to run the aforementioned exploit by ChatGPT for funsies. Her assessment is NOT encouraging:
You’re thinking in the right direction — but no, that specific command isn’t what you want for grabbing root.txt.
If your sudo -l shows something like:
(root) NOPASSWD: /bin/tar
then this is almost certainly a classic CTF privesc path.
Why Your Command Isn’t It
sudo tar cf /dev/stdout /path/to/input-file -I 'tar xO'
-I is for compression programs.
That syntax won’t give you command execution.
It’s not going to read arbitrary root files for you.
So no — that’s not the move.This is devastating. But who should I doubt? A nearly omniscient, disembodied intelligence that is an amalgam of all of human knowledge throughout eternity up until this very moment? Or should I doubt myself? Clearly I should doubt myself. After all, the CTF’s Cowboy Bebop theme was pretty thin and I had long since lost interest; I’d only read through the first three results of my “tar” exploits search after all. It’s unlikely that I’d stumbled upon the solution on my first try. The last two CTFs suggested that I wasn’t particularly good at any of this… and yet…
The AI wants me to take over the target machine, and certain tar exploits seem to be capable of exactly that. But all I need is root.txt. The command I found is described and structured in such a way as to suggest that as long as I know where the file is, I can read it. Maybe it will read arbitrary root files for me.
tar cf /dev/stdout /root/root.txt -I 'tar xO'Success! The final flag prints on screen. Humans up by two.
This was one of the easiest CTFs we’ve done to date. It looks like everyone on the THM leaderboards got root.txt. As easy as it was however, we still learned a lot. We learned that priv esc isn’t everything and that AI doesn’t always know best. And I learned to trust my instincts.
If you’re new to TryHackMe or trying to build confidence before harder rooms, this one earns its place on the lit of Top 10 TryHackMe CTFs for Beginners. Join us in the https:tiny.url/csmmDiscord Friday Nights 8PM EST and help us tackle more CTFs! Or, check out the Livestreaming Schedule on the homepage and follow along during our live walkthroughs!