Today we’re going to write about my attempt at solving the “Assessment Methodologies: Vulnerability Assessment CTF 1”

Before trying to capture any flags, I started by doing a quick nmap scan on the local network to identify the target.

First nmap scan

We can see that the ports 80 and 3306 are open on the host’s IP 192.194.77.3 so it must be our target (the target.ine.local helps too).

I then opened the browser to look at the web server (since port 80 is open) and I found an OWASP app.

OWASP app

Flag 1:

Explore hidden directories for version control artifacts that might reveal valuable information.

This instantly makes me think of a .git directory that must’ve been left on the server, but to make sure I launch a metasploit scanner ; scanner/http/git_scanner.

git-scanner

We, indeed, have a left-out .git directory at http://192.194.77.3/.git; Let’s go exploring.

git-flag

We found the first flag there, let’s keep digging.

Flag 2

The data storage has some loose security measures. Can you find the flag hidden within it?

First thing I thought about was the MySQL server on port 3306, so I set out to find the login for it, which, in hindsight, was a bit hasty of me.

mysql_login

We find that the version of MySQL is unsupported… I try to do a more advanced service scan using nmap to find out more information.

second nmap scan

Too many connections… I decide then to do a more comprehensive enumeration of the web server to find any relevant directories.

third nmap scan

BANG ON! This is a treasure site, we found some very juicy information :

  • .git directory that would’ve been revealed way more easily.
  • /phpmyadmin/ which is our target for this flag
  • /password/ (do I need to explain myself?)
  • /config/
  • /phpinfo.php

Anyway, let’s start exploring by navigating to the phpmyadmin dashboard.

phpmyadmin

Let’s explore the database.

phpmyadmin 2

There’s one called “secret_info” where we find our second flag.

Flag 3 & 4

A PHP file that displays server information might be worth examining. What could be hidden in plain sight?

The last two flags are easily found thanks to the http_enum nmap scan, they were in the /passwords/ and /phpinfo.php.

php-1
passwords-1

Nessus

This is the part where I remember that this was supposed to be a Nessus practice, so I pull up the app to try and find the same results by launching the first scan, which was a basic network scan.

nessus-1
nessus-2

Okay, the scan gets us the open ports and the services but not much else, so I decide to do a Web Application scan, which gets me all the needed info to complete the CTF.

nessus-git
nessus-admin
nessus-php-2
nessus password

Conclusion

To be totally honest, I found this CTF way too easy compared to some of the previous ones. But it was fun, I enjoyed it.