Trapped in Plain Sight 2

category: misc

Platform: UTCTF2025

Difficulty: easy

Description

Only the chosen may see.

The password is for ssh is password.

Resolution

I connected to the ssh connection and found the flag was already in the current directory. It was strange, so I checked the file user privileges into that file.

getfacl shows which users/groups have special permissions on that file.

secretusercan read the file

From this, my task is likely to become secretuser.

I tried to see if there’s a setuid root binary that could drop privileges to read flag.txt

Since that info was not that useful, I looked for passwords in config files with the command

grep -Ri "secretuser" /etc 2>/dev/null
grep -Ri "secretuser" /home 2>/dev/null

From this, we can see the password was set as “hunter2”.

After making sudo as secretuser with the previous password, we can now read the file flag.txt.

PreviousHunting License NextPermissions

Last updated 10 months ago