Second CTF in the longest module for the Penetration testing student course, This time we have two machines; target1.ine.local & target2.ine.local. Let’s see what flags we need to capture :

  • Flag 1: Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.
  • Flag 2: The files on the RSYNC server hold valuable information. Explore the contents to find the flag.
  • Flag 3: Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local.
  • Flag 4: Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.

So it seems that the first machine hosts an rsync file server; therefore it is most likely a Linux machine. The 4th flag mentions automations, which makes me think of cron so it might also ne a Linux machine.

Let’s start, as always, with an nmap scan of both machine :

nmap -sC -sV -sS -O target1.ine.local First nmap scan

nmap -sC -sV -sS -O target2.ine.local second nmap scan

it appears that for the second target we have an apache web-server, we’ll get into exploring it later on, now let’s focus on the flags.

Flag 1

Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.

After a bit of googling, we find out that displaying the rsync server’s banner is pretty easy and can be done with one command : rsync rsync://target1.ine.local/.

Quite an easy flag, and this trend will continue throughout the CTF.

Flag 2

The files on the RSYNC server hold valuable information. Explore the contents to find the flag.

backupwscohen is what we call a module, and modules contain files. So, in order to get all the files from this module, we would need to execute this command :

rsync -avz rsync://target1.ine.local/backupwscohen ~/Downloads/

  • -avz
    • a : Archive mode, to keep the data (and metadata) intact but most importantly in our case for recursion.
    • v : For verbosity.
    • z : To compress data during the transfer.
  • rsync://target1.ine.local/backupwscohen : Source of the files in the rsync server.
  • ~/Downloads/ : Destination directory in our local computer.

So we have 3 files:

  • 1 .txt,
  • 1 .xlsx (excel spreadsheet),
  • 1 .vhd (virtual hard drive).

Let’s cat them all out and see what they contain.

cat * Flag 2 done.

Flag 3

Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local.

Well since this flag is about the second target, let’s first see what the web-server is serving.

It is an app called Roxy-WI, let’s fire up the metasploit console and search for exploits concerning this app.

There’s an excellent exploit for this application, we’ll need to configure the RHOST, LHOST and hit run to start the exploit :

If we navigate to the /, we’ll find a flag.txt.

Flag 4

Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.

First thing i want to do is explore the Cron job available on this machine. After navigating to the /etc/cron.d directory, we find two jobs and one of them contains the flag.

And that was it for the last flag.

Conclusion

refer to the last article for my thoughts about the course so far.

Concerning this CTF in particular, it was very easy but it made me discover new things, especially rsync; So that was fun.