TryHackMe: Bounty Hacker Walkthrough

Sakshi Aggarwal
3 min readNov 26, 2020


Another Boot to Root room. Deploy the machine.

Starting with the enumeration part using the tool nmap port scanner we got the answer to second question.

Using the flag -sC in nmap command we can perform basic vulnerability scan. We found three open ports that are 21,22 and 80.

Let go to the browser and check the web page first. But there is nothing interesting.

While performing nmap scan including vulnerability scan we found that anonymous login is allowed on ftp service. It means that we can login as name anonymous without any password.

Using command: ftp MACHINE_IP

Name: anonymous

We are logged in successfully. Now check for the files and folders available on ftp server using the command ls. There are two files named as locks.txt and task.txt

Using get command save the files to the local system and read the content of files using cat command.

Reading the task.txt file we got the answer of third question.

Reading the locks.txt file. The file contains certain strings that looks like password strings. Looking at the services available to us we can figure out what can be bruteforced with the text file.

Using the hydra tool, username that we found in task.txt file and the password list i.e. locks.txt we can bruteforce the password.

Using the command: hydra -l username -P locks.txt MACHINE_IP -t 4 service

After successful completion of attack we got the password which is the answer to fifth question.

Using the username and password connect to the service. Now we have the user access on the system . Change directory to /home/username/Desktop and here we will find the user.txt flag.

Now we need to escalate our privileges. Using command sudo -l find out if we can use sudo to escalate our privileges. We can use sudo command on /bin/tar.

Go to gtfobins and check if we can exploit /bin/tar directory.

Follow the exploit given in gtfobins to escalate the privileges. After running the command given in gtfobins we will directly get root privileges. Take the root.txt file.

Thank you!!!



Sakshi Aggarwal

Digital forensics enthusiast | Cyber security | Bug hunter | Java | Python | Analyzer