TryHackMe write-up: Bounty Hacker

2 min readJun 24, 2021


This is my write-up for TryHackMe’s Bounty Hacker Room.


Using nmap, I saw that this box is running FTP, SSH and HTTP.

FTP allows anonymous access. Looking inside, I find 2 files.

Downloading and checking the files, I see that one of them look like a password list.

The 2nd file, contains a list of things to do. The writer of the list might be a user.


Running hydra using the password list found at the FTP, I was able to get the SSH credentials.

Connecting via SSH, I was able to verify the above credentials.

Privilege Escalation

Checking for sudo privileges, I found that I could user tar for privilege escalation.

Checking GTFOBins, I can run something like:

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh

Trying something similar to that above out, I was able to gain root access.