GLASSHEADS, pt. 3 Challenge #1 - Viral
This challenge can be found when Wheeler enters the institute.
The Setup
Help the team scan the bio intranet. Start by connecting to the network via ssh -p 7001 ctf-[hash-redacted]@ssh.dyn.mctf.io.
The Network
ssh -p 7001 TMP_STRING@ssh.dyn.mctf.io
Welcome, competitor #TMP_USER. This session will force-close after 60 minutes.
Each SSH connection spawns an entire fresh network for you. Disconnect and reconnect to make a new network.
If you'd like multiple shells, use tmux or screen.
Please wait, spawning network...
[######################################]
Granting console access...
=-=-=-=-=-=-=-=-=-=-=-=-=-=
WELCOME TO
LULZ WORLD
Your IP address is:
10.0.0.201/24
Run 'help' for... help
!kcul dooG
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Fun stuff! Let's see what we have at our disposal.
root@lulzworld:~# help
Recommended Commands:
ip addr
nmap
curl
ssh
This is a good recommendation, it narrows-down our focus. Let's see if the network interface is standard.
root@lulzworld:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if1278: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 4e:78:07:a9:6f:31 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.0.201/24 scope global eth0
valid_lft forever preferred_lft forever
Looks standard enough, so let's scan the network next, using Nmap.
root@lulzworld:~# nmap -sn 10.0.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-13 10:41 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.0.0.3
Host is up (0.000022s latency).
MAC Address: 9A:E5:BC:26:DD:D3 (Unknown)
Nmap scan report for 10.0.0.25
Host is up (0.000010s latency).
MAC Address: C2:21:31:9C:F9:14 (Unknown)
Nmap scan report for 10.0.0.76
Host is up (0.000012s latency).
MAC Address: E6:B7:33:29:E4:00 (Unknown)
Nmap scan report for 10.0.0.201
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.53 seconds
Nice, this narrows it down to 4 different IP addresses, one of which is our own.
Let's see what ports the first address, 10.0.0.3, has open.
root@lulzworld:~# nmap -p- 10.0.0.3
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-13 10:42 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.0.0.3
Host is up (0.000012s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
8000/tcp open http-alt
MAC Address: 9A:E5:BC:26:DD:D3 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.62 seconds
Ok, port 8000, and with what looks like a simple http server, let's curl that.
root@lulzworld:~# curl 10.0.0.3:8000
###########
LULZ WORLD
Key Part I captured:
KEY{XX____}
###########
I've hidden them, but we get the first 2 characters from the key.
On to the next IP, 10.0.0.25.
root@lulzworld:~# nmap -p- 10.0.0.25
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-13 10:43 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.0.0.25
Host is up (0.000012s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: C2:21:31:9C:F9:14 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
An ssh service on port 22, this is the default port for ssh. Let's try it.
root@lulzworld:~# ssh 10.0.0.25
###########
LULZ WORLD
Key Part II captured:
KEY{__XX__}
###########
root@10.0.0.25's password: [CTRL+C to escape]
Nice, the next two characters! They show-up in the banner before the password prompt.
Onto the final address, 10.0.0.76.
root@lulzworld:~# nmap -p- 10.0.0.76
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-13 10:43 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.0.0.76
Host is up (0.000012s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
5000/tcp open upnp
MAC Address: E6:B7:33:29:E4:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds
Ok, port 5000 has an UPnP service running. No idea how to interact with that, let's just curl it.
root@lulzworld:~# curl 10.0.0.76:5000
curl: (56) Recv failure: Connection reset by peer
We need to diagnose what is running on that port. Let's use nmap again.
root@lulzworld:~# nmap -sV -p 5000 10.0.0.76
Starting Nmap 7.80 ( https://nmap.org ) at 2026-05-31 12:23 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.0.0.76
Host is up (0.000056s latency).
PORT STATE SERVICE VERSION
5000/tcp open ssl/http BaseHTTPServer 0.6 (Python 3.11.13)
MAC Address: 7A:0F:83:89:E9:ED (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.71 seconds```
Aha, so UPnP was a red herring, we're actually look at an ssl/http service, which serves https. Let's try executing an insecure https connection.
root@lulzworld:~# curl -k https://10.0.0.76:5000/
###########
LULZ WORLD
Key Part III captured:
KEY{____XX}
Combine all three keys together to
get the final, six-character key.
!krow dooG
###########
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0
Cool, 3/3 parts of the key, challenge complete.