Our company runs a secure-ftp server to share files. It's pretty secure—or at least we thought so. One day, we discovered that our company's username and password credentials were leaked. WE WERE HACKED. After a thorough investigation, our sysadmin was able to recover some network traffic that seemingly came from the attacker. We are currently working on patching the bug in our secure-ftp server and tightening security measures. Hopefully, no one will exploit us again and cause another leak, right?
The attacker has removed the read/write permissions from the original binary, so it's probably best to focus on analyzing the capture.pcap instead. You don't need any fancy FTP clients to use our FTP server—just a simple netcat command like nc localhost 21 will work. You can run the FTP server by executing /challenge/secureftp. To analyze the capture, you can use a tool called Wireshark. Once opened, inspect the traffic and try to figure out how the attacker stole our information. Hopefully, no one can leak /flag 🤞.
💡 Hint for the secure-ftp challenge
You are not meant to look at the binary.
However, we’ve made it readable since everyone has been asking for it.
XSH(1) General Commands Manual XSH(1)
NAME
xsh - A minimal, restricted shell with command history
DESCRIPTION
xsh is a highly restrictive shell designed for controlled command execution.
It supports a small set of built-in commands and maintains a command history.
Check the `help` command in the shell for more help.
HISTORY
Commands entered in xsh are stored in a history buffer, which can be
accessed using `history` and replayed using `!<index>` or `!!`.
BUGS
The `delete` command is known to be unstable. If a long command is deleted
twice, the shell crashes with a strange error. Please report fixes; otherwise,
this feature will be deprecated in version 1.2.
AUTHOR
Developed for AZ-CTF 2025.
SEE ALSO
sh(1), bash(1), zsh(1)
AZ-CTF 2025 March 2025 XSH(1)