CIF Challenge

Bounty Hacker Tryhackme CIF Challenge

Bounty Hacker – Hello guys and welcome back, Ayush to this side, today we will talk about one of the tryhackme rooms “Bounty Hacker”, it’s quite an easy room where you will learn about FTP, hydra tool, and how you can do permission

escalation using tar command. So, without wasting any time, let’s get into it. Bounty Hacker



Step_1Find open ports on the machine

First, we need to find the open ports on our target computer, but if you are a beginner, you will literally think what is a port or port number, for them, here is a small explanation of the port number.

Port: Ports are nothing but unique numbers that are assigned to the many services running on your system to identify them on the network. For example, your firefox browser is running on port something 5543. Bounty Hacker

Now let’s come to the question, find open ports, so for that, we will use the Nmap tool which is used for port scanning, it helps us to find open ports, so let’s see what are the open ports on our target.

nmap -sV -sC -v

But here -sV is enough to find open ports and services needed for escalation, so let’s do it

Here you can see that there are 21,22,80 ports open so why not FTP to the target computer because anonymous login is enabled which means anyone can FTP to the server so let’s do it.



Step_2 – Login FTP & View File

FTP is a file transfer protocol that runs on port 21 and is used to transfer computer files between a client and a server on a network over port 21.


User: anonymous

Here you can see that we have access to the FTP server, let’s see what the files are, just type the ls command.


You can have two files here, just type get filename to get this file on your system.

get locks.txt
get task.txt


Type exit and let’s read both files to get the answer of who wrote the task list.



cat locks.txt
cat task.txt

Here you can see that we have the writer’s name as lin


Q2 Who wrote the task list? (User: lin)

  • lin



Step_4SSH Bruteforce

To do this, we brute force the user’s password using a lock.txt word list and the hydra tool.

hydra -l lin -P locks.txt -t 4 ssh

Now we have the password, now it’s time to ssh to the target.


Q3 What service can you brute force with a found text file?

  • SSH

Q4 What is the users password?

  • RedDr4gon******at3


Step_5 – Login SSH

Now we have the password, now it’s time to ssh to the target.

ssh [email protected]

After SSH server login type ls

cat user.txt

Now we have the user.txt flag and now we need to find the root.txt, first, we checked what permissions we have, and what actions we can perform as root.


Q5 user.txt

  • THM{CR1M3_S******T3}



Step_6 – sudo login

For this just enter sudo -l

sudo -l

Here you can see that we have tar command privileges as root. After that I searched how we can exploit using the tar command, then I got it from gtfobins.github.oi

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

And Type SSH Password. Now I entered whoami then bang got root access.


Fine root.txt

locate root.txt


cat /root/root.txt

Q5 root.txt

  • THM{80UN7******3r}


Congratulations, we finally solved the lab and thanks so much for your time, if you enjoyed this write-up and feel like this is it; pful please share it with your friends and clap!!!


Disclaimer :

This was written for educational purposes only. The author is not responsible for any damages..! The author of this tool is not responsible for any misuse of the information. You will not misuse the information to gain unauthorized access. Doing any hacks without written permission is illegal ..!

All videos and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security, and cyber security should be familiar to everyone who uses digital information and computers. The tutorials and videos Hacker guides are against the misuse of information and we strongly recommend against it.

All tutorials contain any illegal activity. We want to raise security awareness and inform our readers on how to avoid becoming a victim of hackers. If you intend to use the information for illegal purposes, please leave this website. We cannot be held responsible for any misuse of the information.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button