Host & Network Penetration Testing: Post-Exploitation CTF 1 (EJPT INE)

Hi all,

We have now reached the Post-Exploitation CTF. Post-exploitation is the stage that follows initial access, where an attacker gathers intelligence, maintains access, escalates privileges, and moves laterally within the compromised system. The goal is to maximize control, extract valuable data, and establish persistence while remaining undetected.

To be honest, this has been the easiest lab I’ve done so far. Let’s get started.

Q. 1 The file that stores user account details is worth a closer look. (target1.ine.local)

As usual, we will begin our enumeration with an Nmap scan to identify open ports and running services using the command:nmap -sC -sV target1.ine.local .

The scan reveals that port 22 is open, and the libssh service is running. To find an exploit for libssh in Metasploit, we use the command: search libssh

To use this module, type use 0, then enter options to list the required parameters for the exploit.

We only need to set RHOSTS and enable SPAWN_PTY by setting it to true. Run the module by typing exploit.

As you can see, session 1 is opened. To interact with it, type sessions -i 1.

Now, moving on to flag 1. As the question suggests, we need to enumerate the file that stores user account details. In Linux, user account information is stored in the /etc/passwd file. Let's read its contents.

And here we have our first flag, which is:

FLAG 1: 2770d64502224c578098df34ab9c66fb

Q.2 User groups might reveal more than you expect.

To find this flag, enumerate the users by checking the /etc/group file using the command: cat /etc/group

Here, we have obtained our second flag.

Q.3 Scheduled tasks often have telling names. Investigate the cron jobs to uncover the secret.

To find this flag, we need to enumerate the cron jobs, which are located in the /etc directory. After enumeration, the third flag is found in the /etc/cron.d directory.

Type ls to list the contents.

Q.4 DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials.

The DNS configuration is located in the /etc/resolv.conf file. To read its contents, use the command: cat /etc/resolv.conf

This file does not contain a flag, but it points to the host configuration. Let’s navigate to the hosts file using the command: cat /etc/hosts. Here, we have found our fourth flag.

Q.5 Use the discovered credentials to gain higher privileges and explore the root’s home directory on target2.ine.local.

To enumerate the stored credentials, navigate to the home directory using cd /home/user and type ls to list the contents.

And here is a file named credentials.txt. To read its contents, type cat credentials.txt.

We need to use these credentials on target2.ine.local. As usual, we will start with an Nmap scan using the command:nmap -sC -sV target2.ine.local

Port 22 is open. Let’s connect to the john user via SSH using the command: ssh john@target2.ine.local. Enter the password when prompted.

Now, we need to enumerate our privileges to access the root’s home directory, as we currently lack the necessary permissions.

To check for any writable files on the system, use the command: find / -not -type l -perm -o+w

Here, we have found that /etc/shadow has writable permissions.

Let’s exploit this to gain elevated privileges. First, view the contents of the file using the command:cat /etc/shadow

At the top of the file, the root entry contains an * mark, indicating no password is set. To gain access, we need to generate a hashed password and replace it. Use the command to create a hashed password: openssl passwd -1 -salt abc password

The command openssl passwd -1 -salt abc password is used to generate a hashed password using the MD5-based crypt algorithm (-1 option). Here’s a breakdown of each part:

openssl passwd → Generates a hashed password.

-1 → Specifies the MD5-based crypt algorithm ($1$ format).

-salt abc → Uses "abc" as the salt (a random string added to the password before hashing to enhance security).

password → The plain-text password to be hashed.

Copy the generated salted password and paste it into the /etc/shadow file using a text editor like nano or vim. Since we’re using nano, run the command:nano /etc/shadow

Save the file, exit the editor, type su, and enter the password “password” when prompted.

Now, navigate to the home directory using cd /root and list the contents by typing ls.

And here we have found our final flag, which is:

Thank you for following along with this walkthrough!

Happy Hacking.