TryHackMe Bounty Hacker Walkthrough: FTP to Root (Beginner Step-by-Step Guide)
TryHackMe Bounty Hacker Walkthrough: FTP to Root (Beginner Step-by-Step Guide)
Bounty Hacker is an Easy TryHackMe room that chains together a clean, realistic attack path: you enumerate an open FTP server, find a username and a password wordlist, brute-force SSH with Hydra, log in, and then escalate to root by abusing a sudo misconfiguration. It's a perfect beginner lab for practising FTP, Hydra, SSH, and Linux privilege escalation.
This guide explains every command and tool so you can follow along from your first scan to root.
Flags are left blank (
THM{...}) on purpose — run the steps and capture them yourself. Replace<IP>with your target's IP and<YOUR_IP>with your TryHackMe VPN IP (tun0).
Tools you'll use: rustscan, nmap, an FTP client, hydra, ssh, and GTFOBins.
Task 1 — Deploy the Machine
Start the machine, connect through the TryHackMe VPN (or use the AttackBox), and note the target IP.
Task 2 — Reconnaissance
Scan fast with Rustscan, then run nmap on the open ports for detail.
Step 1 — Fast port scan with Rustscan
Everything after -- is passed to nmap, so the version/script scan runs on just the open ports.
Step 2 — Detailed scan with nmap
What you'll find: three open ports — FTP (21), SSH (22), and HTTP (80). The scan also shows that anonymous FTP login is allowed, which is our way in.
Task 3 — Enumerate FTP
Anonymous FTP means you can log in without a real account. Connect and look around:
Inside, list and download the files:
Read what you grabbed:
Two big clues here: task.txt is signed by lin (a likely username), and locks.txt is a ready-made password wordlist. That's everything we need for a targeted brute-force.
Task 4 — Brute-Force SSH with Hydra
Hydra tries each password from the wordlist against SSH until one works. We already know the username (lin) and have the wordlist (locks.txt):
-l lin→ single username-P locks.txt→ password list to tryssh://<IP>→ the service and target
Hydra quickly returns a valid password for lin.
Task 5 — Get the User Flag
Log in over SSH with the cracked credentials:
You land in lin's home directory. Grab the user flag:
Task 6 — Privilege Escalation to Root
The first thing to check after getting any shell is what your user is allowed to run as root:
This shows that lin can run /bin/tar as root. Whenever sudo -l reveals a binary like this, check GTFOBins (a catalogue of how common binaries can be abused). tar has a feature that lets it run a command at a "checkpoint" — and since we can run it as root, that command runs as root too:
This spawns a root shell. Confirm and grab the final flag:
🎉 Box rooted!
Summary: The Attack Path
| Stage | Tool / Technique | Result |
|---|---|---|
| Recon | rustscan → nmap | Found FTP (21), SSH (22), HTTP (80) |
| Enumeration | Anonymous FTP | Got username lin + password wordlist |
| Credential attack | hydra | Cracked lin's SSH password |
| Initial access | ssh | User shell + user.txt |
| Privilege escalation | sudo tar via GTFOBins | Root + root.txt |
What You Learned (and How to Defend It)
Every step here exploits a misconfiguration, which makes the defensive lessons clear:
- Disable anonymous FTP unless you genuinely need it, and never leave sensitive files (notes, wordlists, credentials) on a publicly readable share.
- Use strong, unique passwords — a short or guessable password falls instantly to a dictionary attack like Hydra's.
- Lock down
sudorules. Grantingsudoon flexible binaries liketar,find,vim, ornmapeffectively grants root. Audit/etc/sudoersand prefer narrowly-scoped commands. - Check your own boxes with
sudo -land GTFOBins the same way an attacker would.
Handy Reference Commands
For educational use only. TryHackMe is a legal, sandboxed lab. Never use these techniques against systems you don't own or aren't explicitly authorised to test.
Tags
Keep Reading