Assessment Methodologies: Vulnerability Assessment CTF 1 (EJPT INE)
Hi everyone!
Let’s dive into our next CTF challenge: Vulnerability Assessment.
This CTF lab provides Nessus credentials, but personally, I don’t think Nessus is necessary for this challenge. However, for the sake of curiosity and further exploration, you may choose to run a Nessus scan on the target system to gain additional insights.
Q.1 Explore hidden directories for version control artifacts that might reveal valuable information.
Before addressing any questions, I recommend performing an nmap script scan and version scan to get a clear overview of the target system. Let’s begin with the nmap scan.
We’ll use the following command: nmap -sC -sV target.ine.local --script vuln --min-rate 1000
The --script vuln option runs basic vulnerability detection scripts to provide insights into potential weaknesses.
After reviewing the scanning results and conducting further enumeration, we discovered that the --script command revealed the .git directory is accessible on the web server.
Navigate to the .git directory.
Inside the flag.txt file, we found our first flag, which is:
Flag 1: 4b23c461f2f84bde8ad05679a29f3cb7Q.2 The data storage has some loose security measures. Can you find the flag hidden within it?
As the question hints at ‘data storage’ it suggests that our second flag is hidden within internal files. From the nmap results, we observed that phpmyadmin is publicly accessible, so we can exploit this to retrieve the flag
Navigate to the phpmyadmin directory using a browser.
On the left-hand side, you’ll see the list of databases. We’ll need to manually search through them to locate the second flag. After exploring, you’ll find the flag in the mysql database. Click on ‘mysql’ in the left-hand panel and after clicking, it should look like this:
Within the mysql database, look for the secret_info table. Click on it to view its contents and retrieve the flag.
So our second flag is:
Flag 2: d60c78c764f74c09b038f6576e7226f5Q.3 A PHP file that displays server information might be worth examining. What could be hidden in plain sight?
During the nmap scan, the http-enum script revealed that the server contains a phpinfo.php file.
Navigate to that file in your browser to retrieve the third flag.
Flag 3: fd1f16c3ba634f98a7ce43ca5ee0d3b2 Q.4 Sensitive directories might hold critical information. Search through carefully for hidden gems.
The question hints that sensitive directories might contain critical information, and the http-enum script from the nmap scan indicates that a passwords directory exists on the server.
Navigate to that directory, and within the flag.txt file, you'll find our last flag, which is:
Flag 4: 69270012d44840298c167bb0efa9dcd9Thank you for following along!
Grateful for your time — see you in the next CTF adventure! Hack on!
