Enumeration

Nmap scan shows us that ssh and ftp are running.

‍

‍

Getting the first flag

Connect to the machine via ftp and list the files using “dir”, we see two files which we can download by using “get”.

‍

‍

Back on our attackbox, we can start examining the files. task.txt’s author is “lin”.

‍

‍

Now to the juicy part, brute-forcing ssh using Hydra and the “locks.txt” file we got via ftp.

‍

‍

Great, now we can login to the machine via ssh using the information we have.

First flag is in “user.txt”.

‍

‍

Checking with “sudo -l”, we see that we can use tar.. interesting.

‍

‍

Time for privilege escalation!

A simple google search for “gtfobins tar privesc” gives us this command which will spawn a shell for us.

‍

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

‍

And sure enough, we are root!

The last flag is in “/root/root.txt”.

‍