SUCSS CTF Writeup

Hacking 1

Published: 11 Feb 2026 • Difficulty: Medium

nmaphttpftpweb-enumeration

Hacking 1 is a medium-difficulty Capture The Flag (CTF) environment centered on network reconnaissance and web enumeration. This multi-stage challenge requires identifying vulnerabilities across HTTP, FTP, and MySQL services to capture a total of 9 flags.

  • Easy: Focuses on basic nmap port scanning and service identification.
  • Medium: Requires deeper analysis of service configurations.
  • Hard: Involves bypassing an Intrusion Detection System (IDS) using stealth SYN scans.

Success depends on navigating intentional red herrings designed to misdirect standard enumeration.

Easy Level (5 Flags)

$ nmap -sV -p- 10.83.2.0/24

Key Findings:

IPPortServiceVersion
10.83.2.528492UnknownUnknown
10.83.2.87329HTTPWerkzeug httpd 3.1.5 (Python 3.9.2)
10.83.2.1780HTTPWerkzeug httpd 3.1.5 (Python 3.9.2)
10.83.2.5580HTTPWerkzeug httpd 3.1.5 (Python 3.9.2)
10.83.2.6921FTPvsftpd 2.0.8 or later

Target 10.83.2.5 (Port 28492)

$ nmap -sV -sC -p 28492 10.83.2.5

PORT      STATE SERVICE VERSION
28492/tcp open  unknown
| fingerprint-strings:
|_    flag{...}
$ nc -nv 10.83.2.5 28492

Connection established; flag is printed immediately upon connection.

Target 10.83.2.8 (Port 7329)

$ nmap -sV -sC -p 7329 10.83.2.8

PORT     STATE SERVICE VERSION
7329/tcp open  http    Werkzeug httpd 3.1.5 (Python 3.9.2)
|_http-title: SecureATea Office Coffee Tracker
|_http-server-header: Werkzeug/3.1.5 Python/3.9.2
  1. Navigate to http://10.83.2.8:7329.
  2. Submit the form on the landing page to reveal the flag.

Target 10.83.2.55 (Port 80)

$ nmap -sV -sC -p 80 10.83.2.55

PORT     STATE SERVICE VERSION
80/tcp   open  http    Werkzeug httpd 3.1.5 (Python 3.9.2)
|_http-title: Defeat GRANDMASTER DAVE
|_http-server-header: Werkzeug/3.1.5 Python/3.9.2
  1. Navigate to http://10.83.2.55.
  2. The first flag is shown as plain text above the chess engine.
  3. Win the match to reveal the second flag.

Target 10.83.2.69 (Port 21)

$ nmap -sV -sC -p 21 10.83.2.69

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 0        0              38 Feb 11 17:18 Important
| -rw-r--r--    1 0        0           73986 Feb 11 23:03 ilovebuckethats.jpg
|_-rw-r--r--    1 0        0            1310 Feb 11 23:03 poem.txt
$ ftp 10.83.2.69
# Username: anonymous
  1. Log in with anonymous credentials.
  2. Navigate through the file structure to the Important directory.
  3. Locate and download flag.txt.

Red Herrings

Target 10.83.2.17 (Port 80)

This service is a red herring. The command nmap -sV -sC -p 80 reveals http-title: Live Packet Logger. Upon navigating to http://10.83.2.17 the client-side JavaScript slowly overloads the VM's CPU.

Medium Level (3 Flags)

$ nmap -sV -p- 10.83.3.0/24

Key Findings:

IPPortServiceVersion
10.83.3.445050HTTPSimpleHTTPServer 0.6 (Python 3.9.2)
10.83.3.6821FTPvsftpd 2.0.8 or later
10.83.3.6832495HTTPWerkzeug httpd 3.1.5 (Python 3.9.2)
10.83.3.6832549HTTPWerkzeug httpd 3.1.5 (Python 3.9.2)
10.83.3.753306MYSQLMySQL 8.0.45-0ubuntu0.24.04.1

Target 10.83.3.44 (Port 5050)

$ nmap -sV -sC -p 5050 10.83.3.44

PORT     STATE SERVICE VERSION
5050/tcp open  http    SimpleHTTPServer 0.6 (Python 3.9.2)
|_http-title: Directory listing for /
|_http-server-header: SimpleHTTP/0.6 Python/3.9.2
  1. Navigate to http://10.83.3.44:5050.
  2. Inspect the source code of run.py
  3. Notice a socket listening on Port 49156
$ nc -u -vn 10.83.3.44 49156

Connection established; flag is printed immediately upon connection.

Target 10.83.3.68 (Port 32495)

$ nmap -sV -sC -p 32495 10.83.3.68

PORT      STATE SERVICE VERSION
32495/tcp open  http    Werkzeug httpd 3.1.5 (Python 3.9.2)
|_http-title: 404 Not Found
|_http-server-header: Werkzeug/3.1.5 Python/3.9.2
$ gobuster dir -u http://10.83.3.68:32495 -w /usr/share/wordlists/dirb/common.txt

/flag                 (Status: 200) [Size: 36]
Progress: 4613 / 4613 (100.00%)
  1. Use gobuster to enumerate hidden directories.
  2. Navigate to http://10.83.3.68:32495/flag.
  3. Flag is shown as plain text.

Target 10.83.3.75 (Port 3306)

$ nmap -sV -sC -p 3306 10.83.3.75

PORT     STATE SERVICE VERSION
3306/tcp open  mysql   MySQL 8.0.45-0ubuntu0.24.04.1
$ mysql -h 10.83.3.75 -u root --skip-ssl
  1. Log in with root credentials.
  2. Navigate to locate important_data database.
  3. Select the correct flag from the flags table.

Red Herrings

Target 10.83.3.68 (Port 21)

This service is a red herring. The command nmap -sV -sC -p reveals ftp-anon: Anonymous FTP login allowed. Upon anonymous FTP log in, the only file (flag.txt) contains a jokingly redacted flag.

Target 10.83.3.68 (Port 32549)

This service is a red herring. The command nmap -sV -sC -p reveals http-title: Site doesn't have a title. Upon navigating to http://10.83.3.68:32549, there is no source code, directories, or console errors.

Hard Level (1 Flag)

$ nmap 10.83.4.0/24

Key Findings:

IPPortServiceVersion
10.83.4.3732784UnknownUnknown

Target 10.83.4.37 (Port 32784)

$ nmap -sV -sC -p 32784 10.83.4.37

PORT      STATE SERVICE VERSION
32784/tcp open  unknown
|     Hello! You have tripped our IDS. Please wait 30 seconds and try again.
|     Remember the highest (open) port number contains the flag, all the others are decoys
|_    Dave
  1. The initial scan triggers the Intrusion Detection System (IDS) but reveals a hint about how to find the real flag.
  2. Wait 30 seconds for the IDS block to lift, then execute a stealth SYN scan (-sS) on the uppermost port ranges to bypass detection and find the highest open port.
$ sudo nmap -sS -p 63000-65535 10.83.4.37

PORT      STATE SERVICE
65300/tcp open  unknown
$ nc -nv 10.83.4.37 65300

Connection established; flag is printed immediately upon connection.