TryHackMe write-up: Bounty Hacker


This is my write-up for TryHackMe’s Bounty Hacker Room.


Using nmap, I saw that this box is running FTP, SSH and HTTP.

FTP allows anonymous access. Looking inside, I find 2 files.

Downloading and checking the files, I see that one of them look like a password list.

The 2nd file, contains a list of things to do. The writer of the list might be a user.


Running hydra using the password list found at the FTP, I was able to get the SSH credentials.

Connecting via SSH, I was able to verify the above credentials.

Privilege Escalation

Checking for sudo privileges, I found that I could user tar for privilege escalation.

Checking GTFOBins, I can run something like:

sudo tar -cf /dev/null /dev/null — checkpoint=1 — checkpoint-action=exec=/bin/sh

Trying something similar to that above out, I was able to gain root access.




I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Goodbye, Windows 10!

Authentication Bypass (Write-up/Walkthrough)

What Happens When Someone Steals your Health Data?

We Keep YOU Safe

Your personal security checklist

Tokens with reliable tasks accomplishments.

Should we save security till the end?

@cmnnewsofficial CMN wants to provide an ecosystem that does more than just exchanging tokens.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I like breaking stuff.

More from Medium

Beep | HackTheBox writeup

Pentesting Fundamentals TryHackMe

How to get Invite code in Hack The Box

Cyber Santa HTB CTF — Writeup