For this task, we had SSH access to the server guess.insomni.hack and the task was to read the flag in the /home/flag directory. We were able to get the flag without even solving the challenge 🙂

Challenge Description

Our Solution

An SSH connection was made to the server:

$ ssh -l user1 guess.insomni.hack

Of course, we were not the only ones logged in:

$ w
 18:52:09 up 1 day,  2:06,  23 users,  load average: 0.00, 0.01, 0.05
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 user3    pts/4    192.168.204.102  18:51    1.00s  0.01s  0.00s w
 user2    pts/5    192.168.204.107  18:45    1.71s  0.01s  0.00s -bash
 user1    pts/7    192.168.204.96   18:30    8.00s  0.01s  0.00s -bash
 user2    pts/10   192.168.204.208  18:41    1.80s  0.01s  0.00s -bash
 user2    pts/13   192.168.204.101  18:43    7.00s  0.01s  0.00s -bash
 user1    pts/18   192.168.204.87   18:15    1.90s  0.01s  0.00s -bash
 user4    pts/8    192.168.204.93   18:12    2.19s  0.01s  0.00s -bash
 user3    pts/2    192.168.204.74   18:23    3.55s  0.01s  0.00s tmux
 user4    pts/18   192.168.204.54   18:15    1.11s  0.01s  0.00s -bash
 [CUT BY COMPASS]
 user4    pts/19   192.168.204.33   18:49    3.80s  0.01s  0.00s -bash

Wait, someone logged in as the user3 has a tmux session running:

user3    pts/2    192.168.204.74   18:23    3.55s  0.01s  0.00s tmux

Login as user3:

$ ssh -l user3 guess.insomni.hack

Attaching the tmux session:

$ tmux a

Then, it was possible to see how someone solved the challenge. After about 30 seconds, the user finished the challenge and we got the flag for free (the white dots around the green border shows that the other user has a smaller terminal size):

The flag was accepted:

This was not the official way to get the flag, but we were happy to get it :). Remember: Always think what you are doing and how you can get attacked by others!