Challenge / Misc

Touch

By Jennofrie Daguil · Cybersecurity and Red Team Operator

Touch is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator

EasyPublished 2025-01-10Sanitized local writeup

Scenario

Touch attack path

Touch is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator

Objective

Challenge walkthrough focused on Misc evidence, validation, and reusable operator lessons.

Touch sanitized attack graph

Walkthrough flow

01

Artifact review

02

Hypothesis

03

Validated solve path

04

Proof captured

Source coverage

High source coverage

Status: complete. This article is generated from 6 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

100% coverage
Evidence verdict

High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.

  • Misc/Touch/writeup.md
  • htb-challenge/Misc/Touch/notes.md
  • htb-challenge/Misc/Touch/memory-summary.md
  • htb-challenge/Misc/Touch/hypothesis-board.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Misc__Touch__memory-summary.md.f362fb21b9.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Misc__Touch__notes.md.e9e0a4be31.md

Technical Walkthrough

Writeup

Challenge

  • Name: Touch
  • Category: Misc
  • Difficulty: Easy
  • Mode: remote

Summary

The remote service exposes a Bash shell as ctf. The intended weakness is a

SUID/SGID /bin/touch. Normal touch is not directly useful for reading files,

but with umask 000 it can create root-owned world-writable files. That allows

creating /etc/ld.so.preload, pointing it to a controlled shared object, and

triggering the preload through the SUID touch binary.

The shared object cleans up /etc/ld.so.preload, marks /bin/bash SUID-root,

and copies /root/flag.txt to a readable temp file. The raw flag is stored only

in loot/flag.txt.

Artifact Inventory

Remote-only challenge:

  • Target: <TARGET>:30353
  • No downloadable challenge artifact was provided.
  • analysis/tcp-probes.txt records the shell prompt behavior.
  • analysis/touch-binary-behavior.txt records the SUID touch primitive.
  • analysis/preload-exploit-redacted.txt records the final exploit transcript

with the flag redacted.

Analysis

  1. Connected to the TCP service and confirmed it exposes /bin/bash -i as user

ctf.

  1. Enumerated filesystem metadata and found /home/ctf/touch -> /usr/bin/touch

and /bin/touch with mode 6755.

  1. Confirmed SUID touch creates root-owned files.
  2. Confirmed /root/flag.txt exists with touch -r /root/flag.txt /tmp/ref.
  3. Used umask 000 and SUID touch to create a writable

/etc/ld.so.preload.

  1. Uploaded a Linux x86_64 shared object and pointed /etc/ld.so.preload to it.
  2. Triggered SUID touch; the shared object ran as root, copied the flag to

/tmp/touch_flag.txt, and removed /etc/ld.so.preload.

Solve

Run:

bash
python3 solve/solve.py --host <TARGET> --port 30353

Then capture with:

bash
scripts/challenge_harness.py capture-flag Misc/Touch --from loot/flag-candidate.txt

The solve script builds solve/preload_touch.so with Zig if needed, uploads it

over the shell, executes the preload chain, writes the raw flag candidate to

loot/flag-candidate.txt, and keeps the normal transcript redacted.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

  • SUID binaries that seem low-impact can become powerful when they can create

privileged files with attacker-controlled permissions.

  • umask matters: touch creates files using process permissions masked by the

current shell umask.

  • Keep /etc/ld.so.preload cleanup inside the payload so a failed exploit does

not leave the target in a noisy state.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Challenge: Touch
  • Category: Misc
  • Difficulty: Easy
  • Mode: remote
  • Remote instance: <TARGET>:30353
  • Start time: 2026-06-09T13:22:40Z
  • Operator: harness
  • State file: challenge-state.json

Harness Status

  • Current phase: see challenge-state.json
  • Next allowed actions: see next-action.json
  • Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

FileSizeSHA256TypeNotes
0remote-only or no provided filesNo local artifacts found under files/

Evidence Ledger

TimeActionOutput/FileFindingConfidenceNext
2026-06-09T13:22:40Zharness initchallenge-state.jsonWorkspace initialized with deterministic state fileHighInventory artifacts
2026-06-09T13:22:40Zartifact inventoryanalysis/artifact-inventory.json0 artifact(s) inventoriedHighBuild or update hypotheses
2026-06-09T13:23:00ZTCP probeanalysis/tcp-probes.txtService exposes an interactive ctf Bash shell, not a text-only promptHighEnumerate bounded shell metadata
2026-06-09T13:26:00ZSUID triageanalysis/touch-binary-behavior.txt/bin/touch is mode 6755 and creates root-owned files when executed by ctfHighUse SUID touch as the privilege primitive
2026-06-09T13:28:00Zroot-file oracleanalysis/touch-reference-root-probe.txttouch -r /root/flag.txt succeeds, proving a root-only flag file existsHighBuild a safe preload payload
2026-06-09T13:31:00Zexploitanalysis/preload-exploit-redacted.txtumask 000 plus SUID touch created writable /etc/ld.so.preload; preloaded shared object copied the flag to /tmp and marked Bash SUIDHighCapture flag with harness
2026-06-09T13:23:03Zhypothesis recordedhypothesis-board.mdInteractive TCP state-machine or command-word puzzle driven by the scenario words push/touch/satisfactionMediumCapture banner and test harmless newline/keyword probes.
2026-06-09T13:23:03Zresearch skipanalysis/research/research-skip.mdResearch intentionally skipped with recorded reasonMediumGate before exploit
2026-06-09T13:24:12Zcheckpoint recordedanalysis/checkpoint-analysis-20260609T132412426390Z-bcd68f7c.mdCheckpoint for ANALYSISHighUse checkpoint to drive next decision
2026-06-09T13:24:30ZRAG queryanalysis/rag/rag-query-20260609T132420528486Z-f5346cb6.txtRAG helper exited 0; output savedMediumRecord retrieval tag and validation
2026-06-09T13:24:57Zlocal memory searchanalysis/research/local-memory-search-20260609T132457366187Z-d6030060.mdFound 5 safe prior-note result(s)MediumRecord useful result or skip
2026-06-09T13:25:09ZRAG recordanalysis/rag-records.mdRetrieved memory tagged MISSINGMediumValidate or reject with live evidence
2026-06-09T13:25:22Zlocal memory recordanalysis/local-memory-records.mdPrior local notes reviewed as fallback/advisory contextMediumValidate against current evidence
2026-06-09T13:25:33Zevaluatoranalysis/evaluator-20260609T132533376566Z-75ffaf09.mdProceedHighEnumerate shell environment and identify the required touch/push condition.
2026-06-09T13:35:06Zsource auditanalysis/source-audit.mdSource audit recordedHighGate before exploit
2026-06-09T13:35:07Zflag captureloot/flag.txtHTB-format flag captured; raw value kept in loot onlyHighWrite solution and run completion gate
2026-06-09T13:35:19Zcompletion gatechallenge-state.jsonCompletion gate passed; state marked COMPLETEHighOptional sanitized memory summary approval

Key Findings

  • Remote service drops to a ctf Bash shell.
  • /bin/touch is SUID/SGID root (6755), and /home/ctf/touch links to it.
  • With umask 000, SUID touch can create a root-owned but world-writable /etc/ld.so.preload.
  • A Linux x86_64 shared object preloaded through that file runs as root when SUID touch is invoked.
  • The payload removes /etc/ld.so.preload, marks /bin/bash SUID-root, and copies /root/flag.txt to /tmp/touch_flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

bash
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

  • Platform: HackTheBox Challenges
  • Category: Misc
  • Challenge: Touch
  • Difficulty: Easy
  • Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

  • Proposed for LightRAG: yes/no
  • Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

RankPathEvidenceMissing ProofCheapest ValidationConfidenceStatus
1Interactive TCP state-machine or command-word puzzle driven by the scenario words push/touch/satisfactionRemote-only Misc service is reachable on <TARGET>:30353 and scenario text emphasizes push/touch/satisfaction verbs.Capture banner and test harmless newline/keyword probes.MediumActive

Closed Branches

BranchEvidence TestedFailure OutputReason ClosedRevisit Condition

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

  • Platform: HackTheBox Challenges
  • Category: Misc
  • Challenge: Touch
  • Difficulty: Easy
  • Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

  • Proposed for LightRAG: yes/no
  • Requires user approval before ingestion: yes

Notes

Notes

Scope

  • Challenge: Touch
  • Category: Misc
  • Difficulty: Easy
  • Mode: remote
  • Remote instance: <TARGET>:30353
  • Start time: 2026-06-09T13:22:40Z
  • Operator: harness
  • State file: challenge-state.json

Harness Status

  • Current phase: see challenge-state.json
  • Next allowed actions: see next-action.json
  • Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

FileSizeSHA256TypeNotes
0remote-only or no provided filesNo local artifacts found under files/

Evidence Ledger

TimeActionOutput/FileFindingConfidenceNext
2026-06-09T13:22:40Zharness initchallenge-state.jsonWorkspace initialized with deterministic state fileHighInventory artifacts
2026-06-09T13:22:40Zartifact inventoryanalysis/artifact-inventory.json0 artifact(s) inventoriedHighBuild or update hypotheses
2026-06-09T13:23:00ZTCP probeanalysis/tcp-probes.txtService exposes an interactive ctf Bash shell, not a text-only promptHighEnumerate bounded shell metadata
2026-06-09T13:26:00ZSUID triageanalysis/touch-binary-behavior.txt/bin/touch is mode 6755 and creates root-owned files when executed by ctfHighUse SUID touch as the privilege primitive
2026-06-09T13: <REDACTED>, proving a root-only flag file existsHighBuild a safe preload payload
2026-06-09T13: <REDACTED>
2026-06-09T13:23:03Zhypothesis recordedhypothesis-board.mdInteractive TCP state-machine or command-word puzzle driven by the scenario words push/touch/satisfactionMediumCapture banner and test harmless newline/keyword probes.
2026-06-09T13:23:03Zresearch skipanalysis/research/research-skip.mdResearch intentionally skipped with recorded reasonMediumGate before exploit
2026-06-09T13:24:12Zcheckpoint recordedanalysis/checkpoint-analysis-20260609T132412426390Z-bcd68f7c.mdCheckpoint for ANALYSISHighUse checkpoint to drive next decision
2026-06-09T13:24:30ZRAG queryanalysis/rag/rag-query-20260609T132420528486Z-f5346cb6.txtRAG helper exited 0; output savedMediumRecord retrieval tag and validation
2026-06-09T13:24:57Zlocal memory searchanalysis/research/local-memory-search-20260609T132457366187Z-d6030060.mdFound 5 safe prior-note result(s)MediumRecord useful result or skip
2026-06-09T13:25:09ZRAG recordanalysis/rag-records.mdRetrieved memory tagged MISSINGMediumValidate or reject with live evidence
2026-06-09T13:25:22Zlocal memory recordanalysis/local-memory-records.mdPrior local notes reviewed as fallback/advisory contextMediumValidate against current evidence
2026-06-09T13:25:33Zevaluatoranalysis/evaluator-20260609T132533376566Z-75ffaf09.mdProceedHighEnumerate shell environment and identify the required touch/push condition.
2026-06-09T13:35:06Zsource auditanalysis/source-audit.mdSource audit recordedHighGate before exploit
2026-06-09T13: <REDACTED>
2026-06-09T13:35:19Zcompletion gatechallenge-state.jsonCompletion gate passed; state marked COMPLETEHighOptional sanitized memory summary approval

Key Findings

  • Remote service drops to a ctf Bash shell.
  • /bin/touch is SUID/SGID root (6755), and /home/ctf/touch links to it.
  • With umask 000, SUID touch can create a root-owned but world-writable /etc/ld.so.preload.
  • A Linux x86_64 shared object preloaded through that file runs as root when SUID touch is invoked.
  • The payload removes /etc/ld.so.preload, marks /bin/bash SUID-root, and copies /root/flag.txt to /tmp/touch_flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

bash
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Technical analogy

How to remember this solve

Think of the challenge like a timed puzzle booth. If the task is too fast or repetitive for a person, the intended move is usually to write a small helper that performs the simple action perfectly.

For Touch, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.

Related insights

AI-MLAI SpaceAI-MLLike A GloveAI-MLLost In Hyperspace