Vulnerability Assessment CTF 1
Overview¶
Vulnerability Assessment is the process of systematically identifying, analyzing, and prioritizing security weaknesses in a system or network. It involves the use of tools like Nmap to discover open ports and services, as well as platforms like Nessus to detect misconfigurations, outdated software, and potential vulnerabilities. This assessment helps in understanding the security posture of the target environment, providing insights into exploitable weaknesses that attackers might leverage. By conducting a thorough vulnerability assessment, you can not only uncover hidden threats but also develop strategies to mitigate them effectively.
This lab is designed to test your knowledge and skills in vulnerability assessment and identifying hidden information on a target web server.
In this lab environment, you will have access to a target machine available at http://target.ine.local. Additionally, a Nessus dashboard is set up for vulnerability scanning and can be accessed via https://localhost:8834/. Use the provided credentials to log into the Nessus dashboard for further analysis.
Credentials:
Username: admin
Password: adminpasswd
Objective: Identify the services running on the machine, perform a detailed vulnerability scan, and capture all the flags hidden within the environment.
Flags to Capture:
Flag 1: Explore hidden directories for version control artifacts that might reveal valuable information.
Flag 2: The data storage has some loose security measures. Can you find the flag hidden within it?
Flag 3: A PHP file that displays server information might be worth examining. What could be hidden in plain sight?
Flag 4: Sensitive directories might hold critical information. Search through carefully for hidden gems.
Writeup¶
Flag 1¶
Let's start with an Nmap scan:
root@INE:~# nmap -p- --min-rate=10000 target.ine.local
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-03 00:41 IST
Nmap scan report for target.ine.local (192.223.219.3)
Host is up (0.000024s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
3306/tcp open mysql
MAC Address: 02:42:C0:DF:DB:03 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds
root@INE:~#
Perform a scan with scripts:
root@INE:~# nmap -sC -sV target.ine.local -p80,3306
Starting Nmap 7.92 ( https://nmap.org ) at 2025-04-03 00:42 IST
Nmap scan report for target.ine.local (192.223.219.3)
Host is up (0.000049s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 8 disallowed entries
| passwords/ config.inc classes/ javascript/
|_owasp-esapi-php/ documentation/ phpmyadmin/ includes/
|_http-title: Site doesn't have a title (text/html).
| http-git:
| 192.223.219.3:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ https://github.com/fermayo/hello-world-lamp.git
3306/tcp open mysql MySQL 5.5.47-0ubuntu0.14.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0ubuntu0.14.04.1
| Thread ID: 79
| Capabilities flags: 63487
| Some Capabilities: ODBCClient, SupportsCompression, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, IgnoreSigpipes, FoundRows, LongPassword, LongColumnFlag, SupportsTransactions, ConnectWithDatabase, InteractiveClient, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, Support41Auth, Speaks41ProtocolNew, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: JkZ`Uh+9!6/&p$_4"OGV
|_ Auth Plugin Name: mysql_native_password
MAC Address: 02:42:C0:DF:DB:03 (Unknown)
There's a Git repository. Let's check it out: 
The flag is in a file within .git.
FLAG1_aacb6183476c426fa3c3be21aefa24ee
Flag 2¶
There's also a robots.txt file:
User-agent: *
Disallow: passwords/
Disallow: config.inc
Disallow: classes/
Disallow: javascript/
Disallow: owasp-esapi-php/
Disallow: documentation/
Disallow: phpmyadmin/
Disallow: includes/
Let's see what's inside the phpmyadmin directory. It's a database, but it has no authentication, and there's a table called secret_info. The flag is there.
FLAG2_c1ce6259cc7243a1a6499035a2dd822b
Flag 3¶
For this flag, let's perform directory discovery. We can use the http-enum script from Nmap.
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-enum:
| /test/: Test page
| /robots.txt: Robots file
| /phpinfo.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /.git/HEAD: Git folder
| /classes/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /config/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /data/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /documentation/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /images/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /includes/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /javascript/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
| /passwords/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_ /styles/: Potentially interesting directory w/ listing on 'apache/2.4.7 (ubuntu)'
|_http-server-header: Apache/2.4.7 (Ubuntu)
MAC Address: 02:42:C0:DF:DB:03 (Unknown)
Let's check the phpinfo.php file. Inside, we find the flag.
FLAG3_7356f82a5d6a44439e80e6f8947bb001
Flag 4¶
Both the enumeration and the robots.txt file reveal a directory called passwords:
User-agent: *
Disallow: passwords/
Disallow: config.inc
Disallow: classes/
Disallow: javascript/
Disallow: owasp-esapi-php/
Disallow: documentation/
Disallow: phpmyadmin/
Disallow: includes/
Inside the passwords directory, there's the flag.
FLAG4_352260af9f4844bc92af985aa4bae1c0