Red Team Village CTF @ Grayhat 2020

Red Team Village put on a CTF for Grayhat attendees hosted at It was meant to be a beginner-to-intermediate-level CTF with the goal of learning and having fun. In between waiting for a large PCAP file to be rescanned with different filters for Niflheim’s Network CTF, I answered a few questions in this CTF. I found the tunneler challenges to be extremely interesting, and I regret not being able to spend more time on them. There is an incredible writeup for them here:

easy crack

I put all the easy crack hashes into a file called rtvhashes and ran the following command:

$ john rtvhashes --wordlist=/usr/share/wordlists/rockyou.txt
sneakers	(Pamela)
stampe! 	(David)
Doughsgirl	(Christine)
5223786		(Randall)

What failed

After a hard day of defeating cyber attacks from adversaries, let’s dig into some sweet log files from our server to see how many cyber attacks we single handidly stopped. What service was fail2ban configured to protect?

I’ve seen fail2ban used for SSH, so I guessed ssh and it was the flag.



SSH to the linux trainer at

After getting the password, I would su to that user and cd ~.

$ ssh -l level0# with password level0.
level0@trainer:~$ cat level1_password

level1@trainer:~$ cat some_directory/level2_password

level2@trainer:~$ cat dir/another_dir/another_another_dir/some_directory/level3_password

level3@trainer:~$ cat .level4_password

level4@trainer:~$ cat .hidden_dir/.level5_password

level5@trainer:~$ cat ../level6/level6_password

level6@trainer:~$ cat $(find . -name *level7*)
The password for level7 is:


level7@trainer:~/password_directory$ cat $(grep -l password level8*)
The password for level8 is:


level8@trainer:~$ find . -name level9*
level8@trainer:~$ ./dir24/subdir13/level9_password
The password is: 96ab15e954f1267ea04c35de2d771c2b

level9@trainer:~$ grep -n evilhacker /usr/share/wordlists/rockyou.txt
# password is 955830

level10@trainer:~$ cat welcome_message
Welcome to Level 10

For this level you are given a log file from the program fail2ban.  Fail2ban is used monitor log files for suspicious activity like too many failed logins.  It is commonly deployed for use with Apache or SSH.  After a configured number of attempts it will create an iptables (linux firewall) rule to block the ip from communicating with the device for a period of time.

The log file is located in your home directory and is called fail2ban.log.  The password to level 11 is the number of times was banned.
level10@trainer:~$ grep 'Ban' fail2ban.log | wc -l

level11@trainer:~$ cat welcome_message
Welcome to Level 11

For this level you are given a file that contains the password to the next level.  The password is a md5 hash.  Research md5 hashes and find it in the file.
# find an MD5 hash (a 32 digit hexadecimal) in the file md5find
level11@trainer:~$ grep -E "[0-9a-f]{32}" md5find

level12@trainer:~$ cat welcome_message
Welcome to Level 12

For this level you are going to find SUID and SGID binaries in common locations.  This is a common privilege escalation technique seen in CTFs and real world.  Remember the user you are looking to escalate privileges to is level13.

type: man find
      google SUID
      google SGID

level12@trainer:~$ find / -perm /4000 2>/dev/null
level12@trainer:~$ /usr/sbin/mysecret

Welcome to Level 13

For this level you are going to familiarize yourself with environment variables.  They are used for a wide variety of applications.  Specifically, they can be used for docker and cloud providers to store credentials.  They password to level 14 is is the one that ends with ID.
level13@trainer:~$ env | grep ID

level14@trainer:~$ cat welcome_message
Welcome to Level 14

For this level you are going to familiarize yourself with the kernel version.  We are just looking for the Kernel and Major version (the first two sets of numbers) example: if the version is the password will be 2.62

Understanding Kernel versions can help when search for exploits with tools like searchsploit or exploitdb (Sorry, there isn't any kernel exploits for this box, I hope)

level14@trainer:~$ uname -a
Linux trainer 4.19.0-10-cloud-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
# Level 15 pass is 4.19, Level 16 pass is Debian

level16@trainer:~$ cat welcome_message
Welcome to Level 16

For this level you are going to familiarize yourself with the aliases.  They can be very useful and can be used for a variety of actions to speed up your workflow.  They can also be very dangerous.
level16@trainer:~$ cat .bashrc
alias devbox='sshpass -p 6b39034a8045ed996a436f8d09031522 ssh'
alias grep='grep --color=auto'
alias bc='bc -l'
alias mkdir='mkdir -pv'

level17@trainer:~$ cat .viminfo

level18@trainer:~$ tail .bash_history -n 7
find / -perm -g=s -type f 2>/dev/null
ssh level19@localhost
ssh level19@

$ cp level19@ .
level19@'s password:
level20_id_rsa                                                      100% 1811    25.6KB/s   00:00
$ ssh level20@ -i level20_id_rsa
level20@trainer:~$ cat level20_password
The password for level20 is:

5cf82d972614f73422f899f90cfce80faaarainer:~$ tar xvf backup.tgz
level20@trainer:~$ cat level21_password

level21@trainer:~$ bunzip2 -d mybackup
level21@trainer:~$ cat mybackup.out



Connect to the bastion host User: tunneler Password: tunneler SSH Port: 2222

$ ssh -p2222 -l tunneler
The first challenge is to forward a port or forward tunnel to view a web server on an internal network.  The address is and it is listening on port 80.
The second challenge is to connect to the pivot host.  The address is with user: whistler and password: cocktailparty 

Browsing Websites

Browse to

$ ssh tunneler@ -p2222 -L 8000:

Then open, http://localhost:8000/ and find:

You made your first tunnel, take this flag as a reward for your hard work ts{censored}

SSH in Tunnels

SSH through the bastion to the pivot.

$ ssh -J tunneler@ whistler@


Some things you can do:

Something is Beaconing to the pivot on port 58671-58680 to ip, can you tunnel it back?

scan for the ftp server: user: bishop pass: geese  (Its not where you think it is, also the banner is important)

connect to pivot-2 ip: ssh port: 22 user: crease pass: NoThatsaV

connect to ip: port: 7000, a beacon awaits you

Beacons Everywhere

Something is Beaconing to the pivot on port 58671-58680 to ip, can you tunnel it back?

$ ssh -J tunneler@ whistler@ -R

# In new window
$ nc -nlvp 4444

Beacons Annoying

Connect to ip: port: 7000, a beacon awaits you

$ ssh -J tunneler@ whistler@ -L 7000: &
$ nc -v localhost 7000
I hope you like tunneling, I will send you the flag on a random port... How fast is your tunnel game?
I will send the flag to ip: on port: 24354 in 15 seconds

# In new window
$ ssh -J tunneler@ whistler@ -R &
$ nc -v localhost 1234

See writeup linked above, for the rest.