July 1, 2026
Bounty Hacker
Introduction
By Rustmmmdov
4 min read
In this part, I am moving on to the Bounty Hacker room on TryHackMe. This is a great entry-level room where we will practice the core pentesting phases: recon, brute-forcing credentials, exploiting a service, and escalating privileges to root.
Initial Scanning and Enumeration
The first step in any pentest is to do some recon on the target. I started off by scanning the target IP to find open ports and running services using this Nmap command:
nmap -sS -sV -Pn -v <TARGET_IP>
-sS: Performs a SYN Stealth Scan. It is faster and more covert because it never completes the full three-way handshake with the target
-sV: Enables version detection, allowing us to see exactly what software and version is running on each open port.
-Pn: Skips the initial ping host discovery phase. This is useful when the target blocks standard ping requests but has other services running.
-v: Increases verbosity, displaying discovered ports in real-time as the scan progresses.
Scan Results
The Nmap scan completed quickly and revealed three open ports on the target system:
Port 21 (FTP): File Transfer Protocol, which might allow us to look for interesting files.
Port 22 (SSH): Secure Shell, typically used for remote terminal access once we obtain valid credentials.
Port 80 (HTTP): A web server hosting a website, which we can explore through a web browser.
Enumerating FTP (Port 21)
Since port 21 is open, the next move is to check for anonymous FTP login. This misconfiguration lets anyone log into the FTP server without credentials and potentially grab sensitive files. I tried to connect using the following command:
As shown in the screenshot, the anonymous login worked (230 Login successful). This points to a clear misconfiguration on the FTP server, giving unauthorized access to the files stored inside.
Once logged in, I ran the ls command to see the files available in the current directory of the FTP server:
The directory listing showed two text files sitting on the server: locks.txt and task.txt. These files could hold sensitive info, user credentials, or system hints to help us move forward.
To pull these files down to my local machine for a closer look, I used the get command for both files:
After grabbing the files, I dropped out of the FTP session and used the cat command to check the contents of task.txt for any useful info or hints:
Checking task.txt showed a note signed by lin, which is actually the exact answer to one of the tasks in this TryHackMe room. Now that we have a potential username on the system, the next move is to check the second downloaded file, locks.txt, to see what's inside.
Running cat locks.txt showed a list of password candidates. This looks like a custom wordlist meant for the user we found earlier. With a valid username (lin) and a list of potential passwords ready, our next move is to brute-force the SSH (Port 22) service to gain a foothold on the system.
To automate the brute-force attack and find the correct SSH password for lin, I used Hydra, which is pretty much the go-to tool for network logon cracking. I ran the following command, passing the username I found and the custom password list:
hydra -l lin -P locks.txt <TARGET_IP> ssh
-l lin: Specifies the targeted username we discovered in the previous step.
-P locks.txt: Points to the custom wordlist containing the password candidates.
ssh: Defines the target service protocol running on port 22.
Hydra cracked the credentials and found the valid password in just a few seconds: lin:RedDr4gonSynd1cat3. This password is also the exact answer to the next task in the TryHackMe room. Now that I have a valid username and password, my next move is to establish an active session on the target system via SSH.
Once I got the SSH session open, I was dropped right into the user's Desktop directory. To check if the user flag was there, I ran the ls command to see what was inside:
The ls command showed that user.txt was right there on the Desktop. To grab the user flag and wrap up this part of the challenge, I ran the cat command to see what was inside:
Running cat user.txt gave me the first flag: THM{CR1M3_SyNd1C4T3}. With that secured, I'm done with the initial access phase. Now, the final step is to perform privilege escalation to move from the low-privilege user lin up to root.
Privilege Escalation (Sudo Rights)
To escalate privileges, I checked what sudo rights I had by running sudo -l. As shown in the screenshot, lin can run the /bin/tar binary as root without a password. This is a classic misconfiguration that you can easily look up on GTFOBins. To abuse this and spawn a root shell, I ran the following command using tar's checkpoint flags:
After running the command, the prompt changed to #, which meant I successfully spawned a root shell. To double-check my identity and find the final flag, I checked my username and went straight to the root home directory to read root.txt:
As shown in the final screenshot, running whoami confirmed that I was root. After that, I moved over to the /root directory, listed the files, and grabbed the final flag using cat root.txt.
Root Flag: THM{80UN7Y_h4cK3r}
Conclusion:
This room was great practice for the basics of the pentesting lifecycle: from initial recon (Nmap) and anonymous service exploitation (FTP) to credential brute-forcing (Hydra) and Linux privilege escalation via sudo misconfigurations. The machine is now fully rooted!