Europe/Paris
About
Work
Blog
Gallery
17:08:09
Posts

BLACKLIGHT CTF Walkthrough (RootMe)

April 7, 2025

Introduction

In this blog post, I share my methodology for solving the BLACKLIGHT Capture The Flag (CTF) challenge on Root-Me. The goal of this write-up is to present the key steps, techniques, and tools used to approach the challenge without disclosing any flags, in order to respect the rules of the platform.

Reconnaissance

We begin with basic reconnaissance:
  • Ping the target machine to retrieve its IP address.
  • Port scanning with tools like nmap or netcat reveals two open ports:
    • HTTP (port 80)
    • A non-standard port (e.g. 9072)
The HTTP service hosts a website accessible via: http://ctf26.root-me.org.

Web Analysis

  • A look at the source code (CTRL + U) of the homepage shows nothing obvious.
  • Using dirb (dirb http://ctf26.root-me.org/) reveals interesting files:
    • robots.txt, which references sensitive paths
    • A flag1.txt file with encoded content and a reference to the previously discovered custom port

Dictionary File and Custom Port

  • We find a custom dictionary file /blacklight.dict, possibly used for hash cracking or service interaction.
  • Accessing the service on port 9072 with nc ctf26.root-me.org 9072 reveals a custom interface with limited commands like readhash.
The server allows only a single command before shutting down, so we need precision.

Exploitation Attempt

We prepare for a reverse shell using a payload from pentestmonkey, and set up our machine to listen with:
Bash
nc -lvnp 4444
Then, we launch the payload toward the server using the exposed input on port 9072.
Note: We used Ngrok to expose our local port publicly, allowing a successful callback.

Post-Exploitation

Once the reverse shell is active, we confirm we have root access. At this point, we are able to browse the filesystem, identify important files (like /passwd) and finalize the challenge.

Conclusion

This CTF served as a great opportunity to practice web enumeration, basic port exploitation, reverse shell payloads, and quick thinking under limited input constraints. The ability to combine reconnaissance with web analysis and basic privilege escalation is key to solving such machines.
⚠️ Disclaimer: This write-up does not include any flag or exact hash output in order to respect RootMe's challenge policies.
Thanks for reading, and stay safe out there!
On this page
Introduction
Reconnaissance
Web Analysis
Dictionary File and Custom Port
Exploitation Attempt
Post-Exploitation
Conclusion