Assessment Methodologies: Footprinting and Scanning CTF 1 (EJPT INE)

Hii all!

Let’s move on to our next CTF: Footprinting and Scanning.

Q.1 The server proudly announces its identity in every response. Look closely; you might find something unusual.

To gather details about the server, we can use Nmap. Run the following command in the terminal: “nmap target.ine.local -sC -sV”

Alternatively, you can find this information through the browser’s Network tab.

So our flag 1 is as follows:

FLAG 1: 13d8bc4422034cee9b3e69ef45de5218

Q.2 The gatekeeper’s instructions often reveal what should remain unseen. Don’t forget to read between the lines.

After performing the Nmap scan, we can see from the results that there are three disallowed entries in the robots.txt file.

Let’s use curl to navigate to /secret-info/, and here we find flag.txt.

Next, let’s curl to that file as well:

And here we have our second flag, which is:

FLAG 2: 06d212e740e44b29a2710daaf0c129b7

Q.3 Anonymous access sometimes leads to forgotten treasures. Connect and explore the directory; you might stumble upon something valuable.

During the Nmap scan, we discovered that the FTP server allows anonymous login.

Let’s connect to the FTP server using the following command: “ftp target.ine.local”. When prompted, enter anonymous as both the username and password for login.

After successfully logging in, we’ll see two files. We can transfer these files to our system using the get command. Once the files are transferred, exit the FTP server.

Finally, let’s read the contents of these two files using the cat command.

Here, we find our third flag in the flag.txt file, which is:

FLAG 3: 279dbf98bb8e493faa5c0a796d404756

Q.4 A well-named database can be quite revealing. Peek at the configurations to discover the hidden treasure.

After transferring both files to our system, the second file, creds.txt, contains the username and password. From the Nmap scan results, we can see that a MySQL server is open on port 3306. Let’s connect to the MySQL server using the provided credentials.

Run the following command:

mysql -u db_admin -p -h target.ine.local

Enter the password when prompted. Then, use the command:

show databases;

This will list all the databases.

And here we find our last flag, which is:

FLAG 4: f4b92d55f21042e4a065a19a74f92288

Thank you for reading!
HAPPY HACKING!