TryHackMe write-up: Bounty Hacker


This is my write-up for TryHackMe’s Bounty Hacker Room.


Using nmap, I saw that this box is running FTP, SSH and HTTP.

FTP allows anonymous access. Looking inside, I find 2 files.

Downloading and checking the files, I see that one of them look like a password list.

The 2nd file, contains a list of things to do. The writer of the list might be a user.


Running hydra using the password list found at the FTP, I was able to get the SSH credentials.

Connecting via SSH, I was able to verify the above credentials.

Privilege Escalation

Checking for sudo privileges, I found that I could user tar for privilege escalation.

Checking GTFOBins, I can run something like:

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh

Trying something similar to that above out, I was able to gain root access.




I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Organix Public Sale Starts at 8 PM, August 15th, 2020 (SGT)

Sheesha Finance Strategic Partner: Hacken

Investment Protection and Cisco MDS 9700 Series Directors: The story continues…

Steps To Install Free SSL certificate on Tomcat Server

{UPDATE} Adivina la Comida Hack Free Resources Generator

QIP mining is live on QTUM mainnet

RansomEXX, Fixing Corrupted Ransom

2020–11–03 Incident report: $CAKE, $DRUGS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I like breaking stuff.

More from Medium

TryHackMe — Road

Network Services — Tryhackme

TryHackMe: Internal walkthrough

Nibbles | HackTheBox writeup