Local IP: 172.25.200.200
Port: 23
The Flag is in /root/flag.txt
Walkthrough:
CVE-2026-24061 is a critical authentication bypass vulnerability in the GNU telnetd service that allows remote attackers to gain root access without credentials by manipulating the USER and PATH environment variables.. This flaw enables the injection of arguments (specifically the -f flag) into the /usr/bin/login process, allowing a complete bypass of authentication.
Start the vulnerable Docker container:
- You can start a vulnerable server on your own for testing, like this:
- Docker does need to be installed. On Kali:
apt install docker.io
docker run -d -p 23:23 --name flag-red62 --restart always joshbeck2024/ctf-cve-2026-24061-telnetd
PoC Code: (We will break it down in this lesson.)
- The script below, with a few modifications, will execute a reverse shell if the telnet server is vulnerable.
- In this lesson, we’ll look at how it works and where the vulnerability exists in the
telnetd server.
<https://github.com/androidteacher/CVE-2026-24061-PoC-Telnetd>
This article is excellent and does a very good job of explaining the mechanics of this CVE: (Click Here)
<https://www.safebreach.com/blog/safebreach-labs-root-cause-analysis-and-poc-exploit-for-cve-2026-24061/>
First things first:
-
If you are running telnet in a production environment, you deserve what you have coming to you! It’s an insecure protocol of last resort, in my opinion. You should probably use ssh instead. (Change my mind!)
-
Let’s say you throw caution to the wind and run telnetd anyway. Here’s a breakdown of the telnet protocol and how it is exploited:
- Upon connection, the client and server "negotiate" options (like terminal type, window size, or authentication methods) to configure the session.
Code snippet from exploit.py
- Codes like
oxff (/xff) (255) are defined in the telnet RFC documentation, which we will look at shortly.
Environment Variable Passing: Part of this negotiation allows the client to send environment variables to the server to customize the session (e.g., passing the local username USER to avoid re-typing it).