CTF 1 - Exploitation
Question 1
Identify and exploit the vulnerable web application running on target1.ine.local and retrieve the flag from the root directory. The credentials admin:password1 may be useful.
Firstly, let's run an Nmap scan. We can see that there is a server open on port 80. We can open this up in our browser to see that its running a CMS service. There is a login button on the right even though its in a different language. We can use the credentials provided to us to login.
Since we know that the website is running on Flatcore 2.0.7, let's utilize SearchSploit to find if there are any exploits for this specific version. We can see that there is an exploit available but it's not within the Metasploit framework so we'll have to exploit it manually. To download the exploit:
searchsploit -m 50262Now, let's open up the file to view the code before executing it, to see what it does and how to use it. After reviewing the code, we can see the syntax to use as the author has kindly provided an example on how to run the exploit:
python3 50262.py 'http://target1.ine.local' 'admin' 'password1'We have successfully logged in! To now find the flag we need to list out the files using ls / which we can then cat out to read the contents.
Question 2
Further, identify and compromise an insecure system user on target1.ine.local.
To further compromise the system, we have been given a hint that there is an insecure user. We can run the command ls -l /home as the user directories are typically located in the home directory. We can see that there is another user called iamaweakuser.
From our Nmap scan earlier, we know that there is SSH enabled, so let's attempt to connect via SSH using this user to the target - but before we do that, we need find out the password. We can use Hydra to brute-force the password using the wordlist unix_passwords.txt.
hydra -l iamaweakuser -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://target1.ine.localNow that we have obtained credentials, let's login via SSH:
ssh iamaweakuser@target1.ine.localNow just list out the contents and read the flag!
Question 3
Identify and exploit the vulnerable plugin used by the web application running on target2.ine.local and retrieve the flag3.txt file from the root directory.
Again, let's start by running an Nmap scan on the target. We can see that port 80 is open again as well as SSH. Let's open up the web browser to view what the website looks like - and we can that it's running WordPress. Now the plugin directory on WordPress is normally located under /wp-content/plugins so let's navigate to that. In this case, we don't get any output.
Let's utilize gobuster to brute-force the directory to find out what plugins are being used:
gobuster dir -u http://target2.ine.local/wp-content/plugins -w /usr/share/nmap/nselib/data/wp-plugins.lstWe can see that it enumerates two plugins, akismet and duplicator. Let's use SearchSploit again to find if there any exploits for both of these plugins. In this case, akismet doesn't have any exploits while there is a Metasploit module for duplicator.
Let's open up Metasploit and use the module called wp_duplicator_file_read. Now, set the options up and run the exploit - and it works. We can see that it displays the users that can log onto the system as the default file path specified is the /etc/passwd file. To find the flag, let's change the file path to /flag3.txt.
Question 4
Further, identify and compromise a system user requiring no authentication on target2.ine.local.
Since we identified the users already, let's go back. At the bottom of the list, there's a user called iamacrazyfreeuser. Since we discovered that SSH was open, let's connect using this user as we did for Question 2.
We have gained access without a password (if it did require a password - we could have performed a brute-force with Hydra as we did previously). Now just list out the contents and cat out the contents to get the last flag.
Last updated