Kalaichelvan Thieveshkar (CB013248) · Staffordshire University · COMP50003 - Cyber Security II
RootQuest is a purpose-built CTF virtual machine that contains a 10-stage, sequential attack path spanning 5 security domains. Each challenge produces output required for the next step — players must chain together web, crypto, network, and local exploits to reach full root compromise.
Warning / Intended use: This VM is for educational, defensive, and authorized CTF use only. Do not deploy on production networks. Use inside an isolated lab.
| Resource | URL / Filename |
|---|---|
| CTF VM Image (OVA / VHD / VMware — zipped) | RootQuest--Thieveshkar_CB013248.vmx — Download VM (zipped) |
| Technical Report (Design & Risk Analysis) | Technical Report (PDF) |
| Exploit Walkthrough (Step‑by‑Step Guide) | Medium walkthrough |
| License | ./LICENSE |
Design and implement a complex, 10-challenge Capture The Flag (CTF) virtual machine (RootQuest) that forces players to navigate a sequential attack path across 5 security domains to achieve full root compromise.
- Base OS: Ubuntu 14.04.1 LTS (targeted for the final Kernel exploit).
- Services: Apache
2.4.7, PHP5, MySQL5.5, OpenSSH6.6.1p1(custom port2222), Custom Python TCP Service (port8888). - Exploitation Pipeline: Challenges are interconnected, requiring the output of one step (e.g., XSS flag) as the input for the next (e.g., TCP service passphrase).
| Domain | Difficulty | Exploit Technique |
|---|---|---|
| Forensics | Medium / High | Corrupted PNG header repair (hex editing), Brainf**ck code extraction from PCAP |
| Web Exploitation | Medium / High | SQL Injection bypass (SHA1 hashing) → Session token extraction via XSS |
| Cryptography | Medium / High | AES-256 SSH key decryption using ROT13 + Base64 decoded passphrase; multi-layered 5-step cipher reversal |
| Privilege Escalation | Medium / High | SUID binary execution (simple_suid) to pivot user account; Kernel exploit (OverlayFS, CVE-2015-1328) for final root access |
| Network | Medium | Custom TCP service interaction using C2 flag as required secret code |
Initial Access: Fix corrupted PNG image (hex edit) to reveal hidden web page.
Web Pivot: Bypass SHA1-hashed login via SQL injection to reach forum page.
C2 Acquisition: Execute XSS payload on forum to steal session token from hidden page.
Network Access: Use XSS token as secret code to interact with custom TCP service.
SSH Prep: Decode passphrase (ROT13 + Base64) from page source to decrypt player's AES-256 encrypted SSH private key.
User Shell: SSH in as player1.
Pivot Shell: Exploit custom SUID binary to escalate to developer user.
Root: Compile and execute the vulnerable Linux Kernel (OverlayFS) exploit (CVE-2015-1328) to gain full root privileges.
The provided zipped archive contains:
RootQuest--Thieveshkar_CB013248.vmx— VMware configuration (double-click to open in VMware).- Associated virtual disk files (
*.vmdk) and any supporting files required by the VM. README.md(this file).license_ctf_rootquest.md.report/— Technical Report (Design & Risk Analysis) PDF included.walkthrough/— additional walkthrough resources (high-level walkthrough also on Medium).
Download (VM archive / Drive):
Download RootQuest VM (zipped)
- Download the zipped archive from the Drive link above.
- Extract/unzip the archive to a folder (right-click → Extract all... or use your archive tool).
- Locate
RootQuest--Thieveshkar_CB013248.vmx. - Double-click
RootQuest--Thieveshkar_CB013248.vmx— VMware should open the VM automatically.- OR open VMware → File → Open → select
RootQuest--Thieveshkar_CB013248.vmx.
- OR open VMware → File → Open → select
- Confirm the VM network adapter is set to NAT or Host-only (recommended for isolation).
- Power on the VM. Snapshot before destructive steps.
# Example unzip + open steps (adjust to your GUI / VMware setup)
unzip RootQuest--Thieveshkar_CB013248.zip -d rootquest_vm
# Then open VMware and File → Open → rootquest_vm/RootQuest--Thieveshkar_CB013248.vmx