Try Hack Me: Bounty Hacker Room

The skills to be tested and needed to solve this room are: Linux, tar, privesc, and security.

Shout-out to @Sevuhl for creating this room. Visit and create an account for free to take advantage of this great learning platform.

I also chose to mask part of the answers so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you.

There are 7 questions to complete the room:

  • Deploy the machine.
    • No answer needed
  • Find open ports on the machine.
    • No answer needed
  • Who wrote the task list?
    • l**
  • What service can you bruteforce with the text file found?
    • S**
  • What is the user’s password?
    • R****************3
  • user.txt
    • THM{C*************3}
  • root.txt
    • THM{8***********r}


  1. Deploy the machine

2. Find open ports on the machine

  • I was assigned a victim machine’s IP address of Used nmap to scan the target machine for open ports. Scanned the machine by running the command: sudo nmap -sC -sV -O -oA bounty
  • sudo – we have to run the nmap scan with root privileges because “TCP/IP fingerprinting (for OS scan) requires root privileges.”
  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
  • -O – to find out the target’s operating system
  • -oA bounty – to save the results of the scan to a file named “bounty” and saved in three different formats (normal, XML, and grepable)
There are three open ports. Ports 21, 22, and 80.

3. Who wrote the task list?

  • The first interesting information from the nmap scan result is “anonymous” login is allowed through FTP protocol. We can do this by connecting using: ftp
  • When prompted to enter a username/name, use: anonymous
It is confirmed that an anonymous login is allowed. Password was not even required.
  • Now, let’s see what is on the FTP server while logged in as anonymous
We see two files locks.txt and task.txt
  • Download both files by using the get command. get task.txt and get locks.txt
Files downloaded to our attack machine
  • Open task.txt to obtain the answer on who wrote the task list by using cat command. cat task.txt
We see the author of task.txt

4. What service can you bruteforce with the text file found?

  • Looking at the nmap scan result we have above, the only other service that we can bruteforce is S**
  • Time to bruteforce the service. We don’t know which user to use because there was no clue found on the nmap results, but we can try and use the author of the file task.txt. The next challenge is which password list are we going to use? It is easy to just go ahead and use rockyou.txt, but if you remember we found another file on the FTP server called locks.txt. Let’s check what is inside the file before we start bruteforcing. We can look what’s inside the file by issuing cat locks.txt
This looks like a list of possible passwords

5. What is the user’s password?

  • Let’s bruteforce the service that is the answer to question 4 using the answer to question 3 as the username and the file locks.txt for the password list with the tool Hydra. hydra -l l** -P locks.txt s**
Hydra found the password that matches the username

6. user.txt

  • Login to the service referred on question 4 with the username and password we found on question 5.
We were able to authenticate successfully
  • List what files we see and open user.txt if we find it
User flag found!

7. root.txt

  • Simple checks first, let’s see if have the permission to change directory to root
We don’t have permission to get in user root’s directory
  • Now, we have to do privilege escalation. We can find out if user l** have any sudo permissions by using sudo -l.
User l** has root permission to /bin/tar
  • Now we are going to do a privilege escalation by typing: sudo tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=/bin/sh
We are now user root!
  • Retrieve the root.txt by doing cat root.txt
root flag found!
  • We have completed this room! Hope you enjoyed it!

Published by lightkunyagami

Leave a comment

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: