PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http
We’ve got 3 ports open, we can start with FTP to see if we have anonymous access:
We can access this without a password and see there’s a couple files available, let’s look at the task file:
1.) Protect Vicious. 2.) Plan for Red Eye pickup on the moon. -lin
Task gives us a username, locks looks to be a wordlist. As per our hint, we can try bruteforce the SSH service:
We can SSH in and immediately get our user flag.
We pretty much immediately see our path to root. We can tar available to run as root (with a password):
At this point it’s just pick your favourite, let’s try something slightly less common just read the file:
sudo tar xf "/root/root.txt" -I '/bin/sh -c "cat 1>&2"'
We get the root flag with no issues.