Reports
Capture the Flag Exercise Report
As part of my education at Masterschool’s Cybersecurity program, I participated in a Capture the Flag (CTF) exercise that challenged me to interact with a Linux environment, complete various security-related tasks, and uncover multiple hidden flags. The exercise required problem-solving, creative thinking, and technical expertise in areas like privilege escalation, file analysis, and hash cracking.
I was excited to be the first student to fully solve this challenge and found an interesting approach to several of the problems. This report details the steps I took, the commands I used, and the thought process behind my solutions. It highlights my ability to navigate Linux systems, analyze security configurations, and apply tools like SSH, SCP, John the Ripper, and regex-based search techniques.
The following sections outline my methodology and findings in this CTF challenge.
CONNECT WITH SSH
EXERCISE
- Connect to Vm
EXPLANATION
- SSH into our vm machine using the attackbox.
- Password for user ctf was ctf
- Here you find the first Other flag.
COMMAND USED
sshMAKE NEW USER
Exercise
- create new user, make a directory, and make a file with Hello World
Explanation
This was fairly easy. User ctf has sudo privileges for adduser.
Commands used
- Adduser
- mkdir
- nano file.txt
EXIT SSH
EXERCISE
- Exit ssh to go back to root access on our Attackbox.
EXPLANATION
- User ctf has limited sudo access. I spent some time trying to see if I could somehow escalate my privilege without any luck. After running sudo -l and realised there was not much to be done.
- I exited the ssh and went back to root access on our Attackbox.
COMMAND USED
sudo -l
exitTXT FLAGS ON /HOME/CTF
EXERCISE
- Find flags inside txt files.
- I went to the home folder for the user ctf trying to see if anything looked odd. I checked the home folder for files and found the f_l_a_g.txt file
f_l_a_g.txt
- This was easy as i just had to use a cat command to read the file
.f.txt
- This was easy as I just had to use a cat command to read the file.
FIND COMMAND
Then I realised I could just easily look for all text files wherever I had sudo permissions. So I ran a find command inside home/ctf for txt files. I sent the output to a txt file to be able to read it all.
These were the files that looked interesting
- hash1.txt
- hash2.txt
- hash3.txt
- hash4.txt
- hash5.txt
- Wordlist.txt
- Story.txt
- F_l_a_g.txt
- .f.txt
COMMANDS USED
find ~ -type f -name “*.txt” > resultsHASH FILES
- I skipped steps here as I decided to work on the files I had found before moving to anything else. The hash files were the ones that made me wonder again if I needed root access on the ctf box. That’s when after some time of thinking i realised i could use scp to copy the files from CTF BOX to KALI Attackbox. In there I could have root access and be able to write more extensive file commands as well as be able to crack the hashes using john the ripper. Again this was due to the fact that ctf user privileges were limited.
- I opened a second terminal window and I created a folder on the KALI ATTACKBOX to store all the folders and files downloaded from the ctf box and I called it CTFDOWNLOAD.
- I used the command scp to download all the contents from the home folder from CTF BOX to KALI ATTACK box.
- After this i downloaded hash-id to be able to identify the hashes. I used john the ripper format option to find the hash types and then i used john the ripper to crack the hash to get the flag for each hash.txt file.
- There were 5 in total but i only took screenshot of the last 4.
COMMANDS USED
sudo scp -r ctf@10.10.212.200: /home/ctf /root/CTFDOWNLOAD/homectf
cat hash2.txtpython3 hash-id.pyPaste hash, identify hash
john --list=formatsjohn --format= --wordlist=/root/hash_to_crack/wordlist.txt [path to file]hash2.txt
hash3.txt
hash4.txt
hash5.txt
HTML FLAGS ON VAR/WWW/HTML
EXERCISE
Many of the flags were hidden either in the code of the html, some in the header, some in the body, etc.
- I used nano to open the files and read through looking for the flags. This is where I slowly started to realise I could also use grep inside my find commands to look for the flags inside the files.
- I started to think more about the structure of how linux works and where files could be. I checked apache configuration files to see what directories are being used to store websites. Here I found apache2.conf on /etc/apache2 and realised that many html files were in /var/www/html. I used scp to copy this folder from CTF BOX to KALI ATTACK BOX on /root/CTFDOWNLOAD/var.
Here i used a find command to search for html files and found
In /var/www/html
- Hide.html
- Index.html
- Index2.html
Hide.html flag
cat hide.html
Index2.html flag
cat index2.html 
Index.html flag
I actually found this flag by just normally reading the contents of the html file. But this is a segue to later on show you how I solved many of the remaining flags. As you can see the find command has been refined to also include grep.
COMMANDS USED:
catfind /root/CTFDOWNLOAD -type f -name "*.html" -exec grep -i -H "flag" {} \; > /root/results2.txtTEXT FLAGS ON VAR/WWW/HTML
And I also found
- Robots.txt
- Secret.txt
robots.txt
secret.txt
And in /var/www/html/flag
- flag.txt
- Flag2.txt
flag.txt
flag2.txt
flag2 was encoded using base64. I used cyberchef to check it but I had doubts due to previous experience.
COMMANDS USED
echo "e0ZsNGcyX2ZsNGcyX2ZsNGcyfQ==" | base64 --decode
catFIND/GREP COMMAND PATTERNS
Here is where I realised I was probably losing time trying to search file for file. So I thought a bit harder about where other files could be related to websites. Here I checked the guidelines and it mentioned that some flags could be hidden in services or somewhere deep in the system. This is when I also copied the directories /srv/ and /etc/ from CTF BOX to KALI ATTACK BOX..
Then I realised most of the flags contained the word Flag/flag or Fl4g/fl4g. So I thought about searching all txt and html files for this string. Here i read more on REGEX and how to use them together with Find and Grep. In this way i was able to look for This was my result. Here you can see many of the flags that were in clear text html of txt files.
Here we can see flags found in
story.txt
hide.html
find_flag.txt
Index.html
Index2.html
Later on I also refined this command so it would also include the path and filename where each flag was found. This helped me to realise there were some files on /srv/ftp I read up on REGEX as a solution to look for patterns using Find and
COMMANDS USED
scpfind /root/CTFDOWNLOAD -type f \( -name "*.txt" -o -name "*.html" \) -exec grep -E "\{.*[Ff]l4g.*\}" {} \;OTHER FLAG IN /SRV/FTP
Here i found for flag.txt
flag.txt
I cannot find a screenshot, but the file had inside the second Other flag which was
FILES.ZIP
Here i finally found files.zip in /srv/ftp
PASSWORD FOR FILES/ZIP
This took a very long time as I realised this zip file was a PKZIP file and the file contained more than one file. This means it’s impossible to really know if each file has a different password or if they share the same one. After reading for a long time, trying to convert the zip file to a hash and trying to identify it with no success, I got completely stuck.
Then I truly had no idea what else to do, I checked the hint as I did before and I noticed it said we used it many times. I tried password, 123 and more until I finally screenshotted the question so I would be able to count the asterisks. There i finally realised it was 12 characters and that Masterschool has 12 letters.
With joy I opened the zip file and found
wordlist.txt
secret.zip file.
This was easier as I could just use zip2john and the wordlist provided.to crack secret.zip. Once i had the password for secret.zip i could open john_flag.txt to get the john flag.
LAST FLAG
EXERCISE
I was only missing one clear text flag I could not find for the Web Page flags. I knew I could somehow find a pattern and search it with grep and find.
Since I had root access on KALI ATTACKBOX, having found all the files that contained the flags,and having completed all the hash flags required by the exercise, I realised it was just really a matter of searching a pattern through clear text files. I had been searching in the wrong way as all my searches included either Flag/flag or Fl4g/fl4g. Then i realized a few of the flags actually did not have the word flag at all, but i realized all of them included underscores and curly brackets. That’s when i realized i could use this to search properly for any sort of flags in all html files.
COMMANDS USED
grep -r --include="*.html" -E "\{[a-zA-Z_]+\}" /root/CTFDOWNLOAD > /root/curly_bracket_search_results.txt
NOTE
After making sure i had all the files copied to my KALI ATTACKBOX and all hash files were cracked, i could have easily find all files using the same kind of grep command for both html and txt files. I could have simply send all output to a file including the path and filename of where each flag was found.
TABLE WITH ALL FLAGS
| FLAG | FILE | FLAG | DIRECTORY | METHOD |
| System Flag | {F1nd_Fl4g_Fun} | find_flag.txt | var | find |
| System Flag | {St0ry_Fl4g | story.txt | home/ctf | cat/find |
| System Flag | (Y0u_G0T_1t} | f_l_a_g.txt | home/ctf | cat/find |
| System Flag | {H1d3_1n_pl41n_s1gh7} | .f.txt | /home/ctf | cat/find |
| Webpage Flag | {STUDENT_CTF_Web} | /var/www/html | find/grep/regex | |
| Webpage Flag | {Another_Web_Flag} | index.html | /var/www/html | cat/find |
| Webpage Flag | {Robots_Flag} | robots.txt | /var/www/html | cat/find |
| Webpage Flag | {H1d3_Fl4g} | hide.html | /var/www/html | cat/find |
| Webpage Flag | {S3cr3t_Fl4g} | secrets.txt | /var/www/html | cat/find |
| Webpage Flag | {C0nf1gur4t10n_Fl4g} | index.html | /var/www/html | cat/find |
| Webpage Flag | {Fl4g_fl4g_fl4g} | flag.txt | var/www/html/flag | cat/find |
| Webpage Flag | {Fl4g2_fl4g2_fl4g2} | flag2.txt | var/www/html/flag | Base64 encoding |
| hash1.txt | C0d3_0b5cur3r_Flag | hash1.txt | home/ctf/hash_to_crack | md5 |
| hash2.txt | C0d3_5l4y3r_Flag | hash2.txt | home/ctf/hash_to_crack | sha1 |
| hash3.txt | H4ck3r_Flag | hash3.txt | home/ctf/hash_to_crack | sha512 |
| hash4.txt | L0ck_Flag | hash4.txt | home/ctf/hash_to_crack | sha256 |
| hash5.txt | S3cur1ty_Flag | hash5.txt | home/ctf/hash_to_crack | md5 |
| Other Flag | {h4ck3r5_r_us} | SSH LOGIN PAGE | ssh | ssh |
| Other Flag | {ftp_server_4_lyfe} | flag.txt | /srv/ftp | cat |
| files.zip password | Masterschool | files.zip | /srv/ftp | Lucky guess |
| John flag | {LetMe1n123!@#} | Password for secret.zip inside files.zip | /srv/ftp | CTF_TIME password for zip |