Prerequisites for this machine:-
- Familiarity with Hydra
- Basic FTP knowledge
- Basic Linux knowledge
Enumeration
Nmap scan shows us that ssh and ftp are running.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/652568909f50f2d8767bbaa5_b-1.webp)
Getting the first flag
Connect to the machine via ftp and list the files using “dir”, we see two files which we can download by using “get”.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/652568b0b07e1f8795411fe5_b-2.webp)
Back on our attackbox, we can start examining the files. task.txt’s author is “lin”.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/652568d0c3dde991f197fd5d_b-3.webp)
Now to the juicy part, brute-forcing ssh using Hydra and the “locks.txt” file we got via ftp.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/652568eb18beed7e5ed2fe4a_b-4.webp)
Great, now we can login to the machine via ssh using the information we have.
First flag is in “user.txt”.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6525691a2c5a6103aaea4c1b_b-5.webp)
Getting the last flag
Checking with “sudo -l”, we see that we can use tar.. interesting.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/65256933692edee5468b0bf6_b6.webp)
Time for privilege escalation!
A simple google search for “gtfobins tar privesc” gives us this command which will spawn a shell for us.
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
And sure enough, we are root!
The last flag is in “/root/root.txt”.
![](https://assets-global.website-files.com/65253d038bc23c6041109654/6525695bfaf4654a99c43448_b7.webp)