#01 · Whispers on 1337
Something is listening on port 1337. Connect with ncat and read what it says.
CAPTUREDSan Antonio // after dark
A hooded intruder is loose inside the data center — slipping between the servers, scattering binary like ash. It left 20 flags behind, buried across open services, forgotten ports, and files it thought no one would read.
You have a Kali box and a target: 45.79.3.229.
Little hand-holding, minimal hints. Scan, poke, decode, and drag every
ALAMO{...} flag back into the light.
ALAMO{ ... }. Submit it exactly as found.45.79.3.229. Attack only this host — nothing else.nmap, ncat, gobuster,
ftp, smbclient, mysql, hashcat/john,
strings, binwalk, curl, base64.Recovered evidence: shield.png — the shadow dropped it on the way out. Looks ordinary. Is it?
Something is listening on port 1337. Connect with ncat and read what it says.
CAPTUREDPort 8888 answers anyone who knocks. ncat it and listen.
CAPTUREDThe mission page hides more than it shows. View the page source.
CAPTUREDWell-behaved crawlers read one special file at the web root. So should you.
CAPTUREDA directory exists that nothing links to. Brute-force it with gobuster and a common wordlist.
CAPTUREDA service on port 2323 is proud of its version string. Ask nmap -sV nicely.
CAPTUREDA door sits on a very high port. A default scan misses it. Scan the full range.
CAPTUREDAn FTP server allows anonymous login. Log in and look around for a file.
CAPTUREDAn unusual, very 'leet' port is open. Find it and connect.
CAPTURED5-4-3-2-1... an odd port is counting down. Knock on it.
CAPTUREDA Windows-style file share (SMB) allows guest access. Enumerate it and read the file inside.
CAPTUREDA MySQL server accepts a low-privilege login (user 'shadow', password 'shadow'). Query the obvious table.
CAPTUREDIn the same database, one table is easy to miss. SHOW TABLES and dig.
CAPTUREDThe /vault page shows an MD5 hash. Crack it. The plaintext word, wrapped as ALAMO{word}, is your flag.
CAPTUREDDownload the shield image from the mission page. Something is hiding inside the file. strings/binwalk are your friends.
CAPTUREDThe server adds a custom HTTP response header. curl -I the mission page.
CAPTUREDThe site hands you a cookie you didn't ask for. Inspect it (curl -v or your browser dev tools).
CAPTUREDA comment in the mission page HTML looks like gibberish. It's Base64. Decode it.
CAPTUREDThe site's JavaScript file hides a string rotated 13 places. ROT13 it.
CAPTUREDEven the stylesheet keeps secrets. Read the CSS.
CAPTURED