HackTheBox — BountyHunter

Nmap Scan

Starting Nmap 7.80 ( https://nmap.org ) at 2021-07-29 07:28 EET
Nmap scan report for
Host is up (0.16s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP Enumeration

Initial Foothold

Getting root

  • The file name must end with .md.
  • The first line in the file starts with # Skytrain Inc.
  • The second line starts with ** ## Ticket to **.
  • The third line starts with Ticket Code:.
  • The last line starts with ** followed by a number % 7 = 4 followed by a + ( The number can be 7+4 or 14+4 or 21+4 or ….) so 11 will be fine. After satisfying all the condition we reach the eval function where it will evaluate this line.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I am a Penetration Testing Enthusiast with computer science background, also interested in CTFs and python scripting.