eJPT - 3.1 CTF System or Host Based Attacks
HmadCTF 1
Question 1
User 'bob' might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located.
First run an Nmap scan, we can see that port 80 is open and that WebDAV is running. We know that we need to brute-force bob's password so we can use Hydra to do so. Now we can login using cadaver to find the first flag.
Question 2
Valuable files are often on the C: drive. Explore it thoroughly.
We can use davtest to see what files we can upload. Then we can use the webshell.asp file and upload it to the server via cadaver. We can then execute it on the server.
Question 3
By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag.
We first will run an Nmap scan and we can see that SMB is running on port 445. We can then use the Metasploit module smb_login to brute-force credentials. We can connect via smbclient and list the shares. We can explore the C$ share.
Question 4
The Desktop directory might have what you're looking for. Enumerate its contents.
We can now navigate to the administrators account and look in the Desktop folder.
CTF 2
Question 1
Check the root ('/') directory for a file that might hold the key to the first flag
We can see that an Apache server is running on port 80 with a CGI script. We can use Nmap to check if its vulnerable to the Shellshock exploit which it is in this case. We can now exploit it to gain access to the server. Now open a shell and navigate to the root directory.
Question 2
In the server's root directory, there might be something hidden. Explore
'/opt/apache/htdocs/'carefully to find the next flag
Now exit out of the shell and list out all the contents to find the second flag.
Question 3
Investigate the user's home directory and consider using
'libssh_auth_bypass'to uncover the flag
In this case, after running Nmap, we can see that SSH is open on port 22. It's running libssh. We can search for the Metasploit module and use it to gain a shell.
Question 4
The most restricted areas often hold the most valuable secrets. Look into the '/root' directory to find the hidden flag
We can see that when we try to move into the root directory, we are denied permission. In the folder where flag 3 was, there were two binaries. By looking at the welcome binary with the command strings, we can see that it executes the greetings binary. We can then remove the greetings binary and make a new file called greetings with cp /bin/bash greetings. We can then execute the welcome binary again and we have root privileges. Now navigate to the root directory to find the flag.
That’s it for this section. Next one up is the network-based attacks section.
— Hmad
Subscribe to my newsletter
Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Hmad
Hmad
I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.