Host & Network Penetration Testing: Post-Exploitation CTF 1

Post-Exploitation refers to the phase in a penetration test or cyberattack that occurs after an attacker successfully gains access to a system or network. During this phase, the attacker aims to maximize the value of their access by escalating privileges, maintaining persistence, and gathering sensitive information. Post-exploitation techniques include pivoting to other systems, extracting passwords, exfiltrating confidential data, and leveraging compromised systems to further penetrate the network. The goal is to identify critical assets, assess the extent of the breach, and map out pathways for potential lateral movement within the target environment. Post-exploitation also focuses on covering tracks to evade detection and ensuring continued access, emphasizing the need for strong monitoring and rapid response mechanisms to prevent further compromise.

This lab is designed to challenge and refine your skills in Post-Exploitation techniques, focusing on identifying and uncovering hidden information within a target machine.

In this lab environment, you will be provided with GUI access to a Kali Linux machine. Two machines are accessible at http://target1.ine.local and http://target2.ine.local.

Objective: Execute Post-Exploitation techniques on the target to uncover hidden flags and fully exploit the compromised environment.

Flags to Capture:

  • Flag 1: The file that stores user account details is worth a closer look. (target1.ine.local)

  • Flag 2: User groups might reveal more than you expect.

  • Flag 3: Scheduled tasks often have telling names. Investigate the cron jobs to uncover the secret.

  • Flag 4: DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials.

  • Flag 5: Use the discovered credentials to gain higher privileges and explore the root's home directory on target2.ine.local.

Flag 1: The file that stores user account details is worth a closer look. (target1.ine.local)

Scanning target1.ine.local

──(root㉿INE)-[~]
└─# nmap -A target1.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-21 19:35 IST
Nmap scan report for target1.ine.local (192.248.91.4)
Host is up (0.000063s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     libssh 0.8.3 (protocol 2.0)
| ssh-hostkey: 
|_  2048 31:e2:1d:f1:b2:39:0c:a3:ec:db:01:4a:eb:a2:39:c7 (RSA)
MAC Address: 02:42:C0:F8:5B:04 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/21%OT=22%CT=1%CU=32984%PV=N%DS=1%DC=D%G=Y%M=0242
OS:C0%TM=6947FEA7%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=Z%
OS:TS=A)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=
OS:M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WI
OS:N(W1=7C70%W2=7C70%W3=7C70%W4=7C70%W5=7C70%W6=7C70)ECN(R=Y%DF=Y%T=40%W=7D
OS:78%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
OS:(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.06 ms target1.ine.local (192.248.91.4)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.95 seconds

Exploiting Libssh

The scan reveals that port 22 is open, and the libssh service is running. To find an exploit for libssh in Metasploit, we use the command: search libssh

To use this module, type use 0, then enter options to list the required parameters for the exploit.

We only need to set RHOSTS and enable SPAWN_PTY by setting it to true. Run the module by typing exploit.

As you can see, session 1 is opened. To interact with it, type sessions -i 1.

Now, moving on to flag 1. As the question suggests, we need to enumerate the file that stores user account details. In Linux, user account information is stored in the /etc/passwd file. Let's read its contents.

And here we have our first flag, which is:

Q.2 User groups might reveal more than you expect.

Enumerated user groups to gain more insight:

Flag 2 was revealed in the output.

Flag 3: Scheduled tasks often have telling names. Investigate the cron jobs to uncover the secret.

To find this flag, we need to enumerate the cron jobs, which are located in the /etc directory. After enumeration, the third flag is found in the /etc/cron.d directory.

Type ls to list the contents.

Q.4 DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials.

The DNS configuration is located in the /etc/resolv.conf file. To read its contents, use the command:

This file does not contain a flag, but it points to the host configuration. Let’s navigate to the hosts file using the command: cat /etc/hosts. Here, we have found our fourth flag.

Q.5 Use the discovered credentials to gain higher privileges and explore the root’s home directory on target2.ine.local.

To enumerate the stored credentials, navigate to the home directory using cd /home/user and type ls to list the contents.

And here is a file named credentials.txt. To read its contents, type cat credentials.txt.

We need to use these credentials on target2.ine.local. As usual, we will start with an Nmap scan using the command:

Port 22 is open. Let’s connect to the john user via SSH using the command:

Enter the password when prompted.

Now, we need to enumerate our privileges to access the root’s home directory, as we currently lack the necessary permissions.

To check for any writable files on the system, use the command:

Here, we have found that /etc/shadow has writable permissions.

Let’s exploit this to gain elevated privileges. First, view the contents of the file using the command:cat /etc/shadow

At the top of the file, the root entry contains an * mark, indicating no password is set. To gain access, we need to generate a hashed password and replace it. Use the command to create a hashed password: openssl passwd -1 -salt abc password

The command openssl passwd -1 -salt abc password is used to generate a hashed password using the MD5-based crypt algorithm (-1 option). Here’s a breakdown of each part:

openssl passwd → Generates a hashed password.

-1 → Specifies the MD5-based crypt algorithm ($1$ format).

-salt abc → Uses "abc" as the salt (a random string added to the password before hashing to enhance security).

password → The plain-text password to be hashed.

Copy the generated salted password and paste it into the /etc/shadow file using a text editor like nano or vim. Since we’re using nano, run the command:nano /etc/shadow

Save the file, exit the editor, type su, and enter the password password” when prompted.

Now, navigate to the home directory using cd /root and list the contents by typing ls.

And here we have found our final flag, which is:

PreviousHost & Network Penetration Testing: Exploitation CTF 3NextHost & Network Penetration Testing: Post-Exploitation CTF 2

Last updated