Description
Can you abuse the banner? The server has been leaking crucial information on tethys.picoctf.net <PORT1_FROM_INSTANCE>. Use the leak to reach the real service on tethys.picoctf.net <PORT2_FROM_INSTANCE>, then abuse the machine and grab the flag from /root.
Setup
Connect to tethys.picoctf.net <PORT1_FROM_INSTANCE> to capture the leaked SSH banner.
Use tethys.picoctf.net <PORT2_FROM_INSTANCE> (the real service) for authentication and exploitation.
nc tethys.picoctf.net <PORT1_FROM_INSTANCE>nc tethys.picoctf.net <PORT2_FROM_INSTANCE>Solution
- Step 1Harvest the passwordThe leak on port <PORT1_FROM_INSTANCE> prints its SSH banner, exposing the password (e.g., My_Passw@rd_@1234). Save it for the next step.
nc tethys.picoctf.net <PORT1_FROM_INSTANCE>Learn more
A service banner is the initial text a server sends when a client connects - before any authentication occurs. SSH, FTP, SMTP, and many other protocols transmit banners that typically include the software name and version. This information helps clients negotiate compatible protocols, but it also helps attackers fingerprint services and identify exploitable versions.
Banner grabbing is one of the first steps in network reconnaissance. Tools like
netcat,nmap(with-sV), andShodancollect banners to build a picture of exposed services. The key insight in this challenge is that someone configured the banner to include a credential - a serious misconfiguration that mirrors real-world cases where developers accidentally hardcode secrets in configuration files that end up in banners or error messages.In penetration testing, information leakage through banners is a common finding. Beyond passwords, banners can reveal internal hostnames, software versions with known CVEs, and even environment variables. Security hardening guides recommend minimizing banner verbosity - for example, configuring SSH to show only "SSH-2.0" rather than the full OpenSSH version string.
The OWASP Top 10 lists Security Misconfiguration as a critical vulnerability class. Credentials in banners are an extreme but not unheard-of example - similar to finding database credentials in HTML comments, error messages that expose stack traces, or directory listings that reveal sensitive files.
- Step 2Authenticate on the main serviceConnect to <PORT2_FROM_INSTANCE>, enter the leaked password, and answer the security trivia (DEFCON / John Draper). You'll drop into /home/player with limited rights.
nc tethys.picoctf.net <PORT2_FROM_INSTANCE>Learn more
Security trivia questions (like the DEFCON and John Draper questions here) are a challenge mechanic simulating knowledge-based authentication - a second factor beyond the password. In the real world, knowledge-based authentication (KBA) like "What was the name of your first pet?" is widely considered weak because answers can often be researched from public information.
DEFCON is the world's largest underground hacking conference, held annually in Las Vegas. John Draper (a.k.a. Cap'n Crunch) is a legendary phone phreaker who discovered that a toy whistle from Cap'n Crunch cereal produced a 2600 Hz tone that could manipulate AT&T's phone network - a famous early example of exploiting unintended system behaviors. These trivia questions are nods to hacker culture and history.
Once authenticated, landing in
/home/playerwith limited rights demonstrates the principle of least privilege: even authenticated users should not have root access by default. The challenge requires a privilege escalation step to reach/root/flag.txt, reflecting real-world attack chains where an initial foothold must be leveraged for further access. - Step 3Abuse the banner readerThe root-owned script reads /home/player/banner. Replace it with a symlink to /root/flag.txt so the next login displays the flag as the banner.
cd /home/player && rm banner && ln -s /root/flag.txt bannerReconnect to <PORT2_FROM_INSTANCE>; root prints the flag when it loads the banner.Learn more
A symbolic link (symlink) is a special file that acts as a pointer to another path. When any process reads the symlink, the OS transparently redirects the read to the target. Here, replacing the player-owned
bannerfile with a symlink to/root/flag.txtcauses the root-owned banner-reading script to unknowingly read and display the flag.This is a symlink attack - a classic privilege escalation technique. It works when: (1) a privileged process reads a file in a location writable by a lower-privileged user, and (2) the process follows symlinks without checking that the target is in a safe location. The fix is for privileged scripts to use
O_NOFOLLOWwhen opening files, or to userealpath()to resolve the true path before reading.The broader vulnerability class is called TOCTOU (Time Of Check to Time Of Use): the script checks that the banner file exists (TOCT), then later reads it (TOU). Between these two events, an attacker can replace the file with a symlink. Even atomic operations can sometimes be exploited if the race window is large enough.
Symlink attacks appear regularly in CVEs affecting Linux system services. Notable examples include vulnerabilities in
sudo,systemd, and various package managers. The Linux security model has been extended with features likeopen_basedirand Seccomp-BPF to limit the damage such attacks can cause, but misconfigurations that allow them remain common.
Flag
picoCTF{b4nn3r_gr4bb1n9_su((3sfu11y_8126...}
When the root script renders your symlinked banner, it prints the flag exactly as shown.