TryHackMe: Bounty Hacker

  1. Deploy the machine.

2. Find open ports on the machine

Port scan

There’re 3 open ports: 21,22,80.

OS and service scan

The OS is Ubuntu.

There’re 3 services:

Vuln scan

Access HTTP site (port 80)

There’re 3 name: spike, jet, and ed.

Let’s note it for possible usernames.

View page source. There’s /images/ directory.

Access it. nothing much

Access ftp port 21 with anonymous login

There’re 2 files: locks.txt and task.txt.

Download it

Read it

Seems like this is a password file.

Read task.txt

3. Who wrote the task list?
The answer is from task.txt
ANS: l*n

4. What service can you bruteforce with the text file found?

Seems like there’s another possible username.

Let’s create users.txt first. There’re 5 usernames in total.

Bruteforce SSH on port 22

SSH can be bruteforced.

5. What is the users password?
ANS: The answer is from #4.

6. user.txt

7. root.txt

Let’s do privilege escalation. I will check sudo first

Lucky enough I can use tar.

Looking up in GTFO

Run the command

Let’s verify if I can escalate the priv.

Now I’m root.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store