This is a write-up for TryHackMe’s room named BadByte. This is a beginner's friendly room. We need to infiltrate BadByte and then to take over root.Let’s start the enumeration process using nmap.
Reconnaissance
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.114.112
$ sudo nmap -sS -Pn -T4 -p- 10.10.114.112
PORT STATE SERVICE
22/tcp open ssh
30024/tcp open unknown# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,30024 10.10.114.112
$ sudo nmap -O -A -Pn -T4 -p22,30024 10.10.114.112
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e3:89:a3:33:67:85:ac:08:a5:0f:1a:d4:79:78:d2:66 (RSA)
| 256 c1:93:e9:26:b8:9b:85:bc:c2:8e:08:a2:a4:85:f6:85 (ECDSA)
|_ 256 dd:e1:5c:32:d1:fc:a3:c5:4a:0e:bf:c8:c2:79:e4:71 (ED25519)
30024/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 ftp ftp 1752 Dec 27 19:55 id_rsa
|_-rw-r--r-- 1 ftp ftp 78 Dec 28 16:50 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.98.192
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of statusAll the answers in this section can be answered from the above scans.
Foothold
From the Reconnaissance section we saw FTP is running with Anonymous login allowed and also we saw two file that can be accessed. FTP to the target and get both these files locally:
ftp 10.10.114.112 30024
Connected to 10.10.114.112.
220 (vsFTPd 3.0.3)
Name (10.10.114.112:kali): Anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to…
![Dav Tryhackme Writeup [Detailed]](https://miro.medium.com/v2/resize:fit:1358/1*iIpvyAnKbUs4XFlv9mK0Rg.png)
