Host & Network Penetration Testing: Exploitation CTF 1
This lab emphasizes identifying and exploiting vulnerabilities across two target Linux machines. You'll analyze web applications and services running on these machines to uncover weaknesses and exploit them to retrieve critical flags. The tasks involve leveraging known credentials, insecure configurations, and vulnerable plugins to compromise systems and access sensitive data.
Two Linux machines are accessible at target1.ine.local and target2.ine.local. Identify the application and service running on these machines, and capture the flags. The flag is an md5 hash format.
Flag 1: Identify and exploit the vulnerable web application running on target1.ine.local and retrieve the flag from the root directory. The credentials admin:password1 may be useful.
Flag 2: Further, identify and compromise an insecure system user on target1.ine.local.
Flag 3: Identify and exploit the vulnerable plugin used by the web application running on target2.ine.local and retrieve the flag3.txt file from the root directory.
Flag 4: Further, identify and compromise a system user requiring no authentication on target2.ine.local.
The following wordlists will be useful:
/usr/share/nmap/nselib/data/wp-plugins.lst
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
Scanning target2.ine.local
┌──(root㉿INE)-[~]
└─# sudo nmap -A -T5 --script=vuln target1.ine.local -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-17 18:23 IST
Nmap scan report for target1.ine.local (192.163.3.3)
Host is up (0.000081s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-enum:
| /rss.php: RSS or Atom feed
| /robots.txt: Robots file
| /.gitignore: Revision control ignore file
| /content/: Potentially interesting folder
| /core/: Potentially interesting folder
| /global/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| /install/: Potentially interesting folder
| /lib/: Potentially interesting folder
| /modules/: Potentially interesting folder
|_ /styles/: Potentially interesting directory w/ listing on 'apache/2.4.41 (ubuntu)'
| http-sql-injection:
| Possible sqli for queries:
| http://target1.ine.local:80/search/?s=dolor%27%20OR%20sqlspider
| http://target1.ine.local:80/search/?s=ipsum%27%20OR%20sqlspider
| http://target1.ine.local:80/search/?s=lorem%27%20OR%20sqlspider
| http://target1.ine.local:80/search/?s=sit%27%20OR%20sqlspider
| http://target1.ine.local:80/search/?s=dolor%27%20OR%20sqlspider
| http://target1.ine.local:80/search/?s=ipsum%27%20OR%20sqlspider
| http://target1.ine.local:80/search/?s=lorem%27%20OR%20sqlspider
| http://target1.ine.local:80/search/?s=sit%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=N%3BO%3DD%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=S%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=D%3BO%3DD%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=M%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=S%3BO%3DD%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=D%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=N%3BO%3DA%27%20OR%20sqlspider
| http://target1.ine.local:80/styles/default/js/?C=S%3BO%3DA%27%20OR%20sqlspider
|_ http://target1.ine.local:80/styles/default/js/?C=M%3BO%3DD%27%20OR%20sqlspider
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=target1.ine.local
| Found the following possible CSRF vulnerabilities:
|
| Path: http://target1.ine.local:80/
| Form id:
| Form action: /
|
| Path: http://target1.ine.local:80/
| Form id: username
| Form action: /index.php?p=1
|
| Path: http://target1.ine.local:80/index.php?p=1
| Form id:
| Form action: /
|
| Path: http://target1.ine.local:80/index.php?p=1
| Form id: username
| Form action: /index.php?p=1
|
| Path: http://target1.ine.local:80/acp/
| Form id:
| Form action: index.php
|
| Path: http://target1.ine.local:80/acp/index.php
| Form id:
|_ Form action: index.php
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-fileupload-exploiter:
|
| Couldn't find a file-type field.
|
|_ Couldn't find a file-type field.
MAC Address: 02:42:C0:A3:03:03 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/17%OT=22%CT=1%CU=42793%PV=N%DS=1%DC=D%G=Y%M=0242
OS:C0%TM=6942A7D6%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%
OS:TS=A)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=
OS:M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WI
OS:N(W1=7C70%W2=7C70%W3=7C70%W4=7C70%W5=7C70%W6=7C70)ECN(R=Y%DF=Y%T=40%W=7D
OS:78%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
OS:(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.08 ms target1.ine.local (192.163.3.3)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.82 seconds
We can see that we have web server running. lets explore it.
We have flatcore CMS and we do have the credentials so lets log in.
Exploiting flatcore
Since the website is running on Flatcore, we should check if there are any known exploits available for this CMS. We can do this using the following command:
This command searches the Exploit-DB database for publicly available exploits related to Flatcore. If an exploit is found, we can analyze its details and attempt to use it for further exploitation.
As you can see, there are two available exploits, but neither is present in Metasploit. This means we need to execute the exploit manually on our system. Since our goal is to gain access to the root system, we will use the first exploit, which is Remote Code Execution (Authenticated).
To copy the exploit’s Python code into our current working directory, we can use the following command:
Before executing the exploit, we should first read and analyze the code to understand how it works.
After reviewing the code, we can determine how to execute the exploit. To run the Python script and attempt exploitation, we use the following command:
We have successfully logged in using the exploit. Now, to retrieve our first flag, we need to access the root directory. First, we list the directory contents using the following command: ls /
And here we have our first flag, which we can read using the command:
Q.2 Further, identify and compromise an insecure system user on target1.ine.local
To proceed with the compromise, we first need to enumerate the users on the target system. User directories are typically located in the /home directory, so let's list its contents using the command:
And here we discovered a user named iamaweakuser. As the name suggests, this user likely has a weak password.
Since our initial Nmap scan revealed that the SSH port is open, we can attempt to brute-force the password using Hydra.
Command will be:
So now, we have the password. Let’s log in to the SSH service using the command: f and enter the password when prompted.
To list the contents, type ls, and to read the flag, use cat flag2.txt. Here we got our second flag!
Now, the last two questions are related to another target, target2.ine.local.
Scanning target2.ine.local
The target is using wordpress. Lets look for some vulnerable plugins.
Nikto scan wordpress
Gobuster to find wordpress plugins
Nmap to find vulnerable wordpress scripts
Wpscan to look for plugins
Exploiting duplicator plugin
there is an exploit for duplicator
So there are multiple exploits available. One of them is an arbitrary file read exploit in Metasploit.
Let’s use it by running msfconsole and search that particular module.
Interact with the module by typing use 1 and then options to list the required parameters.
So we need to set only RHOSTS as target2.ine.local and run the exploit.
And the exploit executed successfully. Now, the third flag is in the root directory. Let’s read it by setting the FILEPATH to /flag3.txt.
And here we got our third flag which is:
Q.4 Further, identify and compromise a system user requiring no authentication on target2.ine.local.
While running /etc/passwd during the arbitrary file read, we discovered a user named iamacrazyfreeuser, who has direct access to bash.
From the Nmap scan, we know that SSH is open, so let’s try connecting using
And we got access without any password, which is crazyyy! Now, for our last flag, we need to list the files and read the flag using the cat command.
Press enter or click to view image in full size
Last updated