CTF 2 - The Metasploit Framework
Question 1
Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.
The wording is very misleading. Do not use Metasploit to enumerate anything as there are no Metasploit modules to help with this section. Firstly, lets perform an Nmap scan. We can see that rsync is running on port 873. Let attempt to connect to the rsync service:
rsync rsync://target1.ine.local/Question 2
The files on the RSYNC server hold valuable information. Explore the contents to find the flag.
We can see from the command we have just run that there is a module called backupwscohen. We can check or view the contents of it by running the previous command followed by the module:
rsync rsync://target1.ine.local/backupwscohen/We can see that there are 2 files. We can download them to our machine using:
rsync -a rsync://target1.ine.local/backupwscohen/ .The flag -a will be using archive mode to preserve the file properties. The period at the end will download it to the current directory. Then cat out the contents of each file to find the flag.
Question 3
Try exploiting the webapp to gain a shell using Metasploit on
target2.ine.local.
Now, lets load up Metasploit and run an Nmap scan to see what ports are open. We can see that an Apache httpd server is running on port 80 and 443. Let's run the Nmap -sC option to enumerate more information. We could also open the web server within Firefox. We can see that Roxy-WI is running.
Let's search for a Roxy-WI module within Metasploit and use the exploit module. Once it has executed, let's open up a shell and type in /bin/bash -i to spawn a bash shell. Then let's navigate to the root directory and list out the contents to find the flag.
Question 4
Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.
Since we know that Cron jobs are located in the /etc directory, let's navigate to there and list out the contents. There are two directories that are Cron related - however, we are only interested in the cron.d directory. Let's cat out the contents of all the files to find the last flag.
Last updated