UUniCyber · Bootcamp
Apply now
Writeup · 11 May 2026 · Daniel Junior

第一夜 · First Night — Week 1 CTF walkthrough

The story

The internet bill went unpaid. The router blinks offline. Somewhere on the box there's a captured handshake and a wordlist someone downloaded before the line died.

Week 1 was about Linux command-line fundamentals. Not CTF tricks, not tool mastery — just find, cat, and grep. The three commands every security analyst uses before they open anything else.

The challenge had two stages, twenty minutes on the clock, and a shared account that reset every ten minutes so no one could mess with state for the next player.

Connecting

ssh player2018@192.3.0.150
# password: linux101

The environment was a minimal Linux box. No internet. No fancy tools. Just the filesystem.

Stage 1 — Find the handshake

The scenario: there's a captured WiFi handshake file somewhere on the box. find is the right tool.

find / -name "*.cap" 2>/dev/null
find / -name "*.pcap" 2>/dev/null
find / -name "*handshake*" 2>/dev/null

Most players found it by searching for .cap extensions — the standard format for captured WiFi handshakes (tools like airodump-ng output these).

The file was sitting in a non-obvious path inside /home — not in player2018's home, but in another user's directory that happened to be world-readable.

Stage 2 — Find the wordlist

Same idea, different extension. A wordlist is just a text file full of passwords:

find / -name "*.txt" -size +10k 2>/dev/null
find / -name "*wordlist*" 2>/dev/null
find / -name "*rockyou*" 2>/dev/null

Once found, cat confirms it's actually a password list. grep can search it:

grep "password" /path/to/wordlist.txt | head -20

The flag

The flag was embedded inside the handshake file's metadata comment field — visible with cat or strings:

cat /path/to/handshake.cap | grep "flag{"

flag{gr3p_find_c4t_basics}

What it tested

  • Navigating a filesystem you've never seen
  • Using find with -name, -size, and stderr suppression (2>/dev/null)
  • cat to inspect files, grep to search inside them
  • Not panicking when the clock is running

38 out of 62 students solved it. The 24 who didn't mostly got lost at the find stage — searching only in /home rather than the whole filesystem, or not suppressing permission errors.

Week 2

Next Saturday: Recon & Scanning. Nmap, WhatWeb, Shodan, OSINT investigation challenge. The complexity level goes up significantly — you'll be mapping a real (fictional) target network under time pressure.

Start reading man nmap now.

Challenge designed and deployed by Daniel Junior, UniCyber Technical Lead.