CTF 2 - System / Host Based Attacks

---

Question 1

Check the root ('/') directory for a file that might hold the key to the first flag

We can see that an Apache server is running on port 80 with a CGI script. We can use Nmap to check if its vulnerable to the Shellshock exploit which it is in this case. We can now exploit it to gain access to the server. Now open a shell and navigate to the root directory.

Question 2

In the server's root directory, there might be something hidden. Explore '/opt/apache/htdocs/' carefully to find the next flag

Now exit out of the shell and list out all the contents to find the second flag.

Question 3

Investigate the user's home directory and consider using 'libssh_auth_bypass' to uncover the flag

In this case, after running Nmap, we can see that SSH is open on port 22. It's running libssh. We can search for the Metasploit module and use it to gain a shell.

Question 4

The most restricted areas often hold the most valuable secrets. Look into the '/root' directory to find the hidden flag

We can see that when we try to move into the root directory, we are denied permission. In the folder where flag 3 was, there were two binaries. By looking at the welcome binary with the command strings, we can see that it executes the greetings binary. We can then remove the greetings binary and make a new file called greetings with cp /bin/bash greetings. We can then execute the welcome binary again and we have root privileges. Now navigate to the root directory to find the flag.