Bounty Hacker TryHackMe Walkthrough — FTP to Root via Sudo Tar

Difficulty: Easy · OS: Linux · Skills: Service enumeration, anonymous FTP, online password brute-forcing, sudo misconfiguration abuse

Bounty Hacker (room URL cowboyhacker) is a beginner-friendly Linux CTF on TryHackMe that drills the fundamentals: scan, enumerate, brute-force, escalate. We pull a username and a password wordlist from an anonymous FTP server, brute-force SSH with Hydra, then escalate to root by abusing a misconfigured sudo rule on /bin/tar.

This writeup explains the logic of each step so you understand why it works — not just what to type. Task answers are included at the end.

---

Attack Chain at a Glance

1. Recon → Ports 21 (FTP), 22 (SSH), and 80 (HTTP) are open.
2. Anonymous FTP → Download task.txt (reveals a username) and locks.txt (a password list).
3. Brute-force → Hydra cracks the SSH password for that user using locks.txt.
4. User access → SSH in, grab user.txt.
5. Privilege escalation → The user can run /bin/tar as root via sudo → GTFOBins tar trick → root shell → root.txt.

---

1. Enumeration

Port Scan

Run a default-script and version scan.

Three open ports:

21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

What this tells us: FTP is the most interesting line. The Nmap output (and the room) hint that anonymous login is allowed — that's an open door, so we start there. (Port 80 is just a Cowboy Bebop–themed page; nothing actionable.)

---

2. Anonymous FTP — Looting Credentials

Connect to FTP and log in with the username anonymous and any/empty password:

List and download everything:

Two files come back:

• task.txt — a short to-do note that is signed by its author, giving us a valid username.
• locks.txt — a list of likely passwords (a custom wordlist).

Why this matters: the note hands us a username, and the wordlist hands us the passwords to try. Together they make an online brute-force fast and reliable.

---

3. Initial Access — Brute-Forcing SSH with Hydra

We have a username (from task.txt) and a wordlist (locks.txt). The service to attack is SSH (port 22). Use Hydra:

• -l lin — the single username from the note.
• -P locks.txt — the password list pulled from FTP.
• ssh — the target service/module.

Hydra finds a valid password in seconds. Log in:

Grab the user flag:

---

4. Privilege Escalation — Sudo Tar (GTFOBins)

Check sudo rights first

The single most useful manual privesc check:

Output shows lin can run /bin/tar as root:

(root) /bin/tar

Why this is game over

tar has a --checkpoint feature that can run an arbitrary command at a checkpoint via --checkpoint-action=exec=. If we can run tar as root, that command also runs as root — instant shell. This is documented on GTFOBins.

What this does, piece by piece:

• -cf /dev/null /dev/null — create a throwaway archive (we don't care about the output).
• --checkpoint=1 — trigger a checkpoint after the first record.
• --checkpoint-action=exec=/bin/sh — at that checkpoint, execute /bin/sh… as root.

You drop straight into a root shell:

Rooted. ✅

---

Room Questions & Answers

Spoilers below — try it yourself first!

Question	Answer
Who wrote the task list?	lin (signed at the bottom of task.txt)
What service can you bruteforce with the text file found?	SSH (using locks.txt as the wordlist)
What is the user's password?	RedDr4gonSynd1cat3
user.txt	THM{CR1M3_SyNd1C4t3}
root.txt	THM{80UN7Y_h4cK3r}

---

Key Takeaways

• Disable anonymous FTP unless it's truly required. Here it leaked both a username and a ready-made password list.
• Don't store credentials or hints in shared file services. task.txt and locks.txt did the attacker's homework.
• Rate-limit and key-only SSH. A small wordlist plus a known username made the brute-force trivial; key-based auth and fail2ban would have stopped it.
• Audit sudo -l rules. Letting a user run tar as root is effectively granting root, because tar can execute commands. Apply least privilege and avoid GTFOBins-listed binaries in sudo rules.

---

FAQ

What does the Bounty Hacker room teach? Core CTF fundamentals: Nmap scanning, anonymous FTP enumeration, online SSH brute-forcing with Hydra, and Linux privilege escalation via a sudo misconfiguration.

Who wrote the task list in Bounty Hacker? lin — the name signed at the bottom of task.txt, which you retrieve over anonymous FTP.

Which service do you brute-force? SSH (port 22), using the locks.txt wordlist found on the FTP server.

How does the sudo tar privilege escalation work? tar's --checkpoint-action=exec= runs a command at a checkpoint. Run via sudo, that command executes as root, giving a root shell — a technique catalogued on GTFOBins.

---

Tools Used

nmap · ftp · hydra · ssh · tar · GTFOBins reference

---

Educational walkthrough for the Bounty Hacker room on TryHackMe. Practise responsibly — only test systems you're authorised to attack.