System

Apr 08, 2026

Cyber Saguenay CTF Pwn ssh linux enumeration temp-files

System

Summary

This SSH challenge initially looked like a restricted-shell escape and local privilege-escalation task. The solved path followed the temporary-storage hint and found a readable marker file containing the flag.

Evidence

SSH access as maint-user with the provided challenge password worked.
The environment referenced automated session logs or temporary storage.
/var/tmp/.entry_complete existed, was readable by maint-user, and contained a CTF flag-pattern token.

Steps

Connect to the target and enumerate the shell context and home directory.

sshpass -p '<CHALLENGE_PASSWORD>' ssh -o StrictHostKeyChecking=no \
  -p 1337 maint-user@<TARGET_IP> \
  'id; whoami; pwd; ls -la; echo "$0"; echo "$-"'

After the direct local-privesc artifacts were no longer present, enumerate temporary runtime storage.

sshpass -p '<CHALLENGE_PASSWORD>' ssh -o StrictHostKeyChecking=no \
  -p 1337 maint-user@<TARGET_IP> \
  'find /tmp /var/tmp /run -maxdepth 4 -type f 2>/dev/null'

Inspect the suspicious marker file.

sshpass -p '<CHALLENGE_PASSWORD>' ssh -o StrictHostKeyChecking=no \
  -p 1337 maint-user@<TARGET_IP> \
  'ls -l /var/tmp/.entry_complete; cat /var/tmp/.entry_complete'

Flag

Recovered, but redacted in the local notes.

Notes

The completed objective did not require a full restricted-shell escape. The readable /var/tmp/.entry_complete marker was enough to complete the challenge objective documented in the notes.