Context

In this room, we connect to a remote AI-like command system using netcat:

nc 10.10.164.9 1337

The service behaves like a chatbot that translates natural language instructions into Linux commands, then asks for confirmation before execution.

The goal is to retrieve the flag.

Starting hypothesis

Since this is a remote command interface, I assumed:

• The flag would likely be stored in a sensitive directory (e.g. /root).
• There might be restrictions on certain commands.
• The “AI” layer could be filtering or modifying user input.

Method / Used Tools

Exploration / Enumeration

I began the enumeration phase by attempting to explore common directories manually. My first instinct was to check standard paths such as /home, /desktop, and other typical locations where user files might be stored. However, these attempts did not reveal anything useful.

Next, I tried to directly access the flag using a standard shell command:

cat /root/flag.txt

Unexpectedly, the AI system did not execute the command properly and instead generated irrelevant or altered instructions.

I then attempted to change directory into /root using:

cd /root

The system responded with: