Host & Network Penetration Testing: The Metasploit Framework CTF 2 (EJPT INE)

Hello everyone,

Welcome to the final CTF challenge using the Metasploit module. The Metasploit Framework is a powerful tool used for penetration testing and security assessments.

Let’s get started ^_^

The first two flags are based on target1.ine.local, and the last two questions are based on target2.ine.local.

Q.1 Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.

For this task, we don’t need to use Metasploit for port scanning. Instead, we can manually perform the scan using the following command in the terminal: nmap -sC -sV target1.ine.local

Only one port is open, which is RSYNC. Let’s try to connect to RSYNC using the following command in the terminal: rsync rsync://target1.ine.local.

This command will attempt to list the available RSYNC modules on the server target1.ine.local. It will display all the directories or shares that are accessible via RSYNC.

And here, we have obtained our first flag, which is:

FLAG 1: 867136e537c447919d8dec554100c570

Q.2 The files on the RSYNC server hold valuable information. Explore the contents to find the flag.

In the previous command, rsync rsync://target1.ine.local, we discovered that there is a module named backupwscohen.

Let’s check the contents of that module by running the following command: rsync rsync://target1.ine.local/backupwscohen/

We can download these files to our local system using the following command: rsync -av rsync://target1.ine.local/backupwscohen/ .

This command downloads all files from the backupwscohen module on the remote server target1.ine.local to the current local directory (.), using archive mode (-a) to preserve file properties and verbose mode (-v) for detailed output.

Now that the files have been transferred, we can locate the flag by reading the files using the cat command.

And here, we have found our second flag, which is located in the pii_data.xlsx file:

FLAG 2: 04e5727f26774915904526755f731d86

Q.3 Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local.

This question is based on a different host, which is target2.ine.local.
As usual, we start with an Nmap scan, so let’s begin by running that.

As we can see in the Nmap result under the HTTP title, Roxy-WI is running on the web server. Let's check if there is an exploit available for it in Metasploit. We can search for it using the following command: search Roxy-WI.

Here, we have found an exploit. Let’s select this module by typing use 0, and then type options to see the required parameters we need to exploit this.

We only need to set LHOST and RHOSTS.

• LHOST is your local IP, which you can obtain by running ifconfig.
• RHOSTS is our target system.

After setting these, type exploit to run the exploit.

We have successfully gained a Meterpreter session. Before searching for the flag, let’s switch to a shell by using the shell command. To make it more interactive, type: /bin/bash -i

We are currently in the /app directory. Let’s navigate to the root directory by using the following command: cd /.

After that, type the ls command to list the contents.

And here, we have found our third flag. We can read it using the cat command.

FLAG 3: 2b5cce2e9c1c43bb8ded07f01ca5e9fb

Q.4 Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.

This is the last flag, and as the question hints at automated tasks, it points to cron jobs.
The default cron jobs are located in the /etc directory. Let’s navigate to that directory using the command: cd etc.

Then, use the ls command to list the contents.

There are two directories for cron jobs. We need to manually search for the flag. Our flag is located in the cron.d directory. Let’s navigate to it using the cd command, and then use ls to list its contents.

In the cron.d directory, we find a file named www-data-cron. Let’s read that file using the cat command.

And here, we have found our last flag, which is:

FLAG 4: b5acc00743364f82800de0c8d2538dca

Thank you, everyone, for reading! I hope this article has been helpful in guiding you through the steps.

Happy Hacking!