Skip to main content
HashnodeHmadSecHmadSec

Command Palette

Search for a command to run...

eJPT - 3.1 CTF System or Host Based Attacks

Updated
3 min read
H
Hmad

I'm a cybersecurity enthusiast with a growing focus on offensive security. Currently studying for the eJPT & ICCA, building hands-on projects like Infiltr8, and sharing everything I learn through blog posts and labs.

Part of serieseJPT

CTF 1

Question 1

User 'bob' might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located.

First run an Nmap scan, we can see that port 80 is open and that WebDAV is running. We know that we need to brute-force bob's password so we can use Hydra to do so. Now we can login using cadaver to find the first flag.

Question 2

Valuable files are often on the C: drive. Explore it thoroughly.

We can use davtest to see what files we can upload. Then we can use the webshell.asp file and upload it to the server via cadaver. We can then execute it on the server.

Question 3

By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag.

We first will run an Nmap scan and we can see that SMB is running on port 445. We can then use the Metasploit module smb_login to brute-force credentials. We can connect via smbclient and list the shares. We can explore the C$ share.

Question 4

The Desktop directory might have what you're looking for. Enumerate its contents.

We can now navigate to the administrators account and look in the Desktop folder.

CTF 2

Question 1

Check the root ('/') directory for a file that might hold the key to the first flag

We can see that an Apache server is running on port 80 with a CGI script. We can use Nmap to check if its vulnerable to the Shellshock exploit which it is in this case. We can now exploit it to gain access to the server. Now open a shell and navigate to the root directory.

Question 2

In the server's root directory, there might be something hidden. Explore '/opt/apache/htdocs/' carefully to find the next flag

Now exit out of the shell and list out all the contents to find the second flag.

Question 3

Investigate the user's home directory and consider using 'libssh_auth_bypass' to uncover the flag

In this case, after running Nmap, we can see that SSH is open on port 22. It's running libssh. We can search for the Metasploit module and use it to gain a shell.

Question 4

The most restricted areas often hold the most valuable secrets. Look into the '/root' directory to find the hidden flag

We can see that when we try to move into the root directory, we are denied permission. In the folder where flag 3 was, there were two binaries. By looking at the welcome binary with the command strings, we can see that it executes the greetings binary. We can then remove the greetings binary and make a new file called greetings with cp /bin/bash greetings. We can then execute the welcome binary again and we have root privileges. Now navigate to the root directory to find the flag.

That’s it for this section. Next one up is the network-based attacks section.

— Hmad

#ejpt#ctf#ctf-writeup#metasploit

Comments

Join the discussion

No comments yet. Be the first to comment.

eJPT

Part 13 of 24

In this series, I'll be documenting the notes I take while studying for the eJPT (Junior Penetration Tester) certification by iNE Security. I'll include write-ups to the CTF's or Skill Checks as iNE calls them.

Up next

eJPT - 3.1 System or Host Based Attacks (II)

Exploiting Linux Vulnerabilities We have covered some of the notes for this section previously, including CVE-2014-6271 - Vulnerability Assessment Page. FTP The first step as normal is to run a Nmap scan. In this case, we are running ProFTPD. You can...

More from this blog

H

HmadSec

44 posts

Hmad here. This blog is my personal space to document everything cybersecurity - from certification notes to lab writeups, CTF solutions, and more.