This one is quite fun since it involves multiple services and als some local privilege escalation.
You can find it here at tryhackme.com
Lets start with a portscan as usual:
sudo nmap -A 10.10.127.129
Lets look at the FTP server first and see if we can log in as user anonymous
That went well. Lets get the two files and look into them.
The files sound promissing – so lets look inside:
task.txt is just a note one first sight – but it reveals a username:
locks.txt looks like a collection of passwords.
We know from the portscan earlier that an ssh server is running on our target.
So we will try hydra to ssh into our target using “lin” as the user and the passwords in locks.txt
hydra -l lin -P locks.txt ssh://10.10.127.129
Cool! That seemed to work. So the service we could bruteforce is
We found the password
to be lin’s ssh password on our target.
Let’s ssh in and look around.
ssh -l lin 10.10.127.129
This brought us straight to lin’s desktop.
And there we found our first flag. So the user flag is
We expect the root flag to be in /root. But when we try this directory as user lin we get the “permission denied” as expected.
So let’s see if we can use sudo to get a step further.
So we can use tar as the user root. Let’s what we can achive with that.
One URL that is very useful is
Here we can look for a clever way to use tar in our favour.
So: what does that all mean?
Its pretty clever: we “create” a tar archive by reading from /dev/null and also writing to /dev/null – wich basically means nothing will be written on disc.
If tar reaches a checkpoint (meaning a certain amount of blocks have been written to /dev/null) it executes the command /bin/bash.
Since we can execute tar as root, tar in turn executes the command as root and we should get a root shell. Lets try
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
This is exactly how we wanted it. We are root now. So let’s look into root’s home directory and see if our last flag is there
So there it as: our last flag in the root.txt