Bounty Hacker – a writeup

This one is quite fun since it involves multiple services and als some local privilege escalation.

You can find it here at

Lets start with a portscan as usual:

sudo nmap -A


Lets look at the FTP server first and see if we can log in as user anonymous



That went well. Lets get the two files and look into them.

get locks.txt
get tasks.txt

The files sound promissing – so lets look inside:

task.txt is just a note one first sight – but it reveals a username:


locks.txt looks like a collection of passwords.

We know from the portscan earlier that an ssh server is running on our target.

So we will try hydra to ssh into our target using “lin” as the user and the passwords in locks.txt

hydra -l lin -P locks.txt ssh://

Cool! That seemed to work. So the service we could bruteforce is


We found the password


to be lin’s ssh password on our target.

Let’s ssh in and look around.

ssh -l lin

This brought us straight to lin’s desktop.

And there we found our first flag. So the user flag is


We expect the root flag to be in /root. But when we try this directory as user lin we  get the “permission denied” as expected. 

So let’s see if we can use sudo to get a step further.

sudo -l

So we can use tar as the user root. Let’s what we can achive with that.

 One URL that is very useful is


Here we can look for a clever way to use tar in our favour.

So: what does that all mean?

Its pretty clever: we “create” a tar archive by reading from /dev/null and also writing to /dev/null – wich basically means nothing will be written on disc.

If tar reaches a checkpoint (meaning a certain amount of blocks have been written to /dev/null) it executes the command /bin/bash.

Since we can execute tar as root, tar in turn executes the command as root and we should get a root shell. Lets try

sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

This is exactly how we wanted it. We are root now. So let’s look into root’s home directory and see if our last flag is there

cd /root
ls -la


So there it as: our last flag in the root.txt


Leave a Reply

Your email address will not be published.