eJPT - 3.5 CTF Post-Exploitation
HmadCTF 1
Question 1
The file that stores user account details is worth a closer look. (target1.ine.local)
After doing an Nmap scan on the target, we can see that port 22 is open and running libssh for which there is a Metasploit module available to exploit it. When using it, make sure you set up the normal options as well as set the SPAWN_PTY option to true.
To get the flag, we need need to enumerate account details which we can do via cat /etc/passwd.
Question 2
User groups might reveal more than you expect.
To enumerate the groups, we can run cat /etc/group.
Question 3
Scheduled tasks often have telling names. Investigate the Cron jobs to uncover the secret.
To look at the Cron jobs running, we can run ls -al /etc/cron* or navigate to the /etc/cron.d directory and view the contents.
Question 4
DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials.
To view the DNS configurations, run cat /etc/resolve.conf but nothing is valuable here. However, it does point to the /etc/hosts file which we view via cat /etc/hosts.
Question 5
Use the discovered credentials to gain higher privileges and explore the root's home directory on target2.ine.local.
First, navigate to the /home/user directory and list out the content to find credentials.txt. Then, perform an Nmap scan on target 2. We can see that port 22 is open and SSH is running. We can login using the credentials with the command:
ssh john@target2.ine.local
Now, that we are, we need enumerate our privileges and we don't have root access. We can check for weak file permissions using the following command:
find / -not -type l -perm -o+w
We can see, that we can access the /etc/shadow file. We can change the root user's password to gain access as root. We can generate the required hashed password using the following command:
openssl passwd -1 -salt abc password123
Feel free to change the 'password' to whatever you wish. Now copy the string generated and replace the Asterix in the /etc/shadow file. You can do so by open the /etc/shadow file using Nano (a text-editor similar to vim). It should look like this:
Then type su and you should have root access. Now navigate to the root directory and list out the contents to get the last flag!
CTF 2
Question 1
An insecure ssh user named alice lurks in the system.
Let's perform an Nmap scan on the target and we can see that SSH is running. As hinted at, there is a user with a weak password called Alice. Let's perform a brute-force using Hydra to get the credentials:
hydra -l user -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://target.ine.local
Now that we have the password to the account Alice, we can login via SSH or load the ssh_login Metasploit module to login and upgrade our session to a meterpreter session. Then
Question 2
Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user?
From the previous question, next to the flag, we found a hashdump.txt file. Copy the contents or download it to then crack the credentials using John The Ripper.
john --format=NT hashdump.txt
We have now found credentials for another user called David. Let's login via SSH using those credentials to find the flag.
Question 3
Can you escalate privileges and read the flag in C://Windows//System32//config directory?
To escalate our privileges, we can try running the getsystem command within meterpreter to get admin privileges. Now we can navigate to the directory mentioned in the question to get the flag.
Question 4
Looks like the flag present in the Administrator's home denies direct access.
Let's navigate to the Administrators directory. When we try to navigate into the flag directory, we are denied. To check the permissions of who can access this directory, we can run the command icacls flag. Note that you have to have a normal shell on the system for this to work.
In this case, we can see that NT AUTHORITY\SYSTEM is set to DENY access. We can change this by running the following command:
icacls flag /remove:d "NT AUTHORITY\SYSTEM"
We can now navigate to the flag directory to get the last flag.
That’s it for this section. Next one up is the introduction to the web and HTTP protocol section.
— Hmad
Subscribe to my newsletter
Read articles from Hmad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Hmad
Hmad
I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.