AboutLinkedInGitHubMediumBlog

CTF 1 - Post-Exploitation

Question 1

The file that stores user account details is worth a closer look. (target1.ine.local)

After doing an Nmap scan on the target, we can see that port 22 is open and running libssh for which there is a Metasploit module available to exploit it. When using it, make sure you set up the normal options as well as set the SPAWN_PTY option to true.

To get the flag, we need to enumerate account details which we can do via cat /etc/passwd.

Question 2

User groups might reveal more than you expect.

To enumerate the groups, we can run cat /etc/group.

Question 3

Scheduled tasks often have telling names. Investigate the Cron jobs to uncover the secret.

To look at the Cron jobs running, we can run ls -al /etc/cron* or navigate to the /etc/cron.d directory and view the contents.

Question 4

DNS configurations might point you in the right direction. Also, explore the home directories for stored credentials.

To view the DNS configurations, run cat /etc/resolve.conf but nothing is valuable here. However, it does point to the /etc/hosts file which we view via cat /etc/hosts.

Question 5

Use the discovered credentials to gain higher privileges and explore the root's home directory on target2.ine.local.

First, navigate to the /home/user directory and list out the content to find credentials.txt. Then, perform an Nmap scan on target 2. We can see that port 22 is open and SSH is running. We can login using the credentials with the command:

ssh john@target2.ine.local

Now, that we are, we need enumerate our privileges and we don't have root access. We can check for weak file permissions using the following command:

find / -not -type l -perm -o+w

We can see that we can access the /etc/shadow file. We can change the root user's password to gain access as root. We can generate the required hashed password using the following command:

openssl passwd -1 -salt abc password123

Feel free to change the 'password' to whatever you wish. Now copy the string generated and replace the Asterix in the /etc/shadow file. You can do so by open the /etc/shadow file using Nano (a text-editor similar to vim). It should look like this:

Then type su and you should have root access. Now navigate to the root directory and list out the contents to get the last flag!

Previous3.5 Post-ExploitationNextCTF 2 - Post-Exploitation

Last updated