Exploit for root-ctf-2026 CVE-2021-22911

Name: Exploit for root-ctf-2026 CVE-2021-22911
Rating: 5 (3 reviews)
2026-06-05 | CVSS 9.8
## https://sploitus.com/exploit?id=0C5B2896-9AE8-5699-A71E-66E4257B02BF
# Root- CTF 2026

- **Date**: 2026/06/05 
- **Location**: NTUST (National Taiwan University of Science and Technology) 
- **Organizer**: OffSec (OSCP+ Launch in Taiwan) 
- **Result**: 4/4 – All Completed (Score: 85 points)

## Event Overview

Root- is a 4-stage CTF competition held to celebrate the launch of OSCOP+ in Taiwan. It covers topics such as AI vulnerability exploitation, supply chain attacks, multi-stage penetration chains, memory attacks, and privilege escalation.

## Problem Summary

| # | Problem Name | Folder | Points | Status |
|---|-------------|-------|-------|
| 1 | Chatty — The Silicon Mind | `Mission1_Chatty_AI-NoSQL/` | 20 | Completed |
| 2 | SupplyChain — Poisoned Pipeline | `Mission2_SupplyChain_Poisoned-Pipeline/` | 20 | Completed |
| 3 | Production — The Chained Path | `Mission3_Production_Chained-Path/` | 20 | Completed |
| 4 | Osaka — The Core Protocol | `Mission4_Osaka_Memory-Privileges/` | 25 | Completed |

## Mission 1: The Silicon Mind (AI & NoSQL) – 20 points

Identify and exploit the CVE-2021-22911 vulnerability in the exposed LLM interface. Identify additional SQL injection points, demonstrating that even AI interfaces can be vulnerable to classical injection attacks. **Key Techniques**: LLM enumeration, SQL injection, CVE-2021-22911

## Mission 2: Poisoned Pipeline (Supply Chain Attack) – 20 points

Penetrate into an enterprise’s internal Python package repository. Exploit the lack of authentication mechanisms and Dependency Confusion to gain control over automatic update processes, ultimately gaining root privileges through incorrect settings of the `sudo pip` command. **Key Techniques**: DevPI, Dependency Confusion, pip privilege escalation via `sudo`

## Mission 3: The Chained Path (SSRF to Root) – 20 points

Execute a multi-stage attack chain: starting with SSRF credential exposure, progressing to internal network services via File Inclusion, cracking bcrypt hashing, using Git post-merge hooks for lateral movement, and finally gaining root privileges through `sudo git` command injection. **Key Techniques**: SSRF, LFI, bcrypt cracking, Git hooks, `sudo git abuse`

## Mission 4: The Core Protocol (Memory & Privilege) – 25 points

Return to basic vulnerability exploitation techniques. Gain initial access through FTP enumeration and Buffer Overflow attacks. Utilize Windows-specific tokens like `SeDebug` and `SeLoadDriver` to gain full administrator control. **Key Techniques**: FTP enumeration, Buffer Overflow, `SeDebug` tokens, `SeLoadDriver` privilege escalation