Hello or hello again, depending on whether or not you've encountered one of my previous articles. I've been documenting my progress learning pentesting and trying to earn the eJPT certification, specifically my process of solving the CTF challenges throughout the course.
This challenge was designed to test knowledge and skills in vulnerability assessment and identifying hidden information on a target web server.
It involved the use of tools like Nmap to discover open ports and services, as well as platforms like Nessus to detect misconfigurations, outdated software and potential vulnerabilities. This assessment helps in understanding the security posture of the target environment, providing insights into exploitable weaknesses that attackers maight leverage, helping to not only discover hidden threats but also develop startegies to mitigate them effectively.
Flag 1
Hint: Explore hidden directories for verson control artifacts that may reveal valuable info.
After a quick ping and nmap scan to confirm that the target was reachable, a simple nmap scan revealed the following open ports:
The hint mentioned version control, hinting at git or bitbucket directories. Heading to the url containing the git repo reveals the first flag.
The first flag is found at the flag.txt file.
Flag 2
Hint: The data storage has some loose security measures. Can you find the flag hidden within it?
The hint suggests that the database, discovered to be a mysql database from the scans,Version: 5.5.47-0 to be specific, has weak security measures. Further enumeration using Nmap NSE scripts revealed that the target was configured to block connection attempts, meaning a brute-force attack couldn't be carried out as well. The nmap results, however, detailed some interesting directories that are easily accessible. The most relevant one to the database was /phpmyadmin
The webpage reveals some databases, including mysql.
Further enumeration of the database reveals a table called secret_info, in which the second flag is found.
Flag 3
Hint: A PHP file that displays server information might be worth examining. What could be hidden in plain sight?
A quick search revealed that the file that displays PHP server info is likely to be phpinfo.php. The nmap results from the previous step showed that the file exists, and possibly contains information. Navigating to it from the website reveals the file.
Scanning the PHP Server configuration file reveals the third flag in the configuration section:
Flag 4
Hint: Sensitive directories might hold critical information. Search through carefully for hidden gems.
Following the hint, and more focused review of the results from the dirb scan from the previous step, the directory that immediately stood out was the passwords directory. Further enumeration of the directory revealed the files below, one being the final flag.
Even though the lab was finshed, I was still curious about what Nessus had to offer. Using the provided credentials to access the dashboard, I carried out a basic network scan after discovering the target host, and found the 24 vulnerabilities in total, but only 1 held a severity score of medium:
Further research revealed that the specific CVEs were CVE-2020-11022 and CVE-2020-11023. I went about trying to confirm that the target is indeed vulnerable to this exploit.
Using burpsuite to inspect the requests and response trying to find a point from which to execute the XSS attack, I found some interesting comments that provided the needed info.
The vulnerable header was User-Agent. Using the proxy to intercept and modify the request to test the simple script <script>alert("XSS-Test")</script> confirmed that the target was vulnerable.
To wrap things up, this lab really put my vulnerability assessment skills, particularly the second flag. The lab also highlights that tools aren't everything, and that manual investigation is key to finding the hidden stuff that automated scans might miss.
Top comments (0)