This project is the first CTF challenge completed for my Ethical Pen Testing Course at CMU
Topics, Skills & Tools Used
- Kali Linux
- NMap / Network scanning
- Metasploit
- Meterpreter shells
- Privilege escalation
- Portfwd / pivoting
The host 10.20.160.41 was easily compromised utilizing an existing exploit for a vulnerabile FTP service running on port 21.
Once access to this host was gained, a .bat file containing user credentials in plaintext was found that when run, opened a vulnerable SSH service on the second host. It was possible to use portfwd to pivot into this host and find the second flag.
My recommendations are to evaluate the services running on all hosts. If they are essential services, update them to the most recent version. If they are not essential, terminate them.
More importantly, users should be educated on how to store credentials and told to delete or remove any files that contain passwords.
I included my PDF submission in this repository, although it had many issues like the executive summary being too technical, and the second flag not being found. In this section I will walk through this project in a more succinct manner.
Step 1:
As with any CTF challenge, I started out with some basic network scans to see some potential points of entry. The rules of engagement specified two host ranges to attack: 10.20.160.10-150, and 10.20.170.20-100 so both of these ranges were scanned with the commands:
nmap -open 10.20.160.10-150
nmap -open 10.20.170.20-100
The results are shown in this screenshot:
Step 2
Based on the initial scan results, it is clear that 10.20.160.41 will be the host we will likely have to target first. Next I did a more detailed scan of this host with the following command:
nmap -A 10.20.160.41
(maybe overly aggressive, I know) The results of the scans are as follows:
The open port 21 running a "Konica Minolta FTP Utility" stood out as being highly likely to be vulnerable.
Step 3
Next, I began searching through Metasploit for existing exploits. Many exploits related to "Konica Minolta" existed so I figured I was on the right track:
After many attempts at different exploits, finally one was found that successfully opened a meterpreter shell:
Step 4
With a meterpreter session open, I was free to explore the host's file system in which the first flag "proof.txt" was found:
The compromised user did not have admin priveleges, so I would have to find another way to gain access to the second system.
Step 5
In the first host's files, a batch file was found with plaintext credentials stored in it:
This batch file could be run to start an SSH service on host 10.0.170.87. From here a serious of attempts were made to use portfwd to pivot in to the now open SSH client on the new host.
Ultimately I was not able to gain access to the second host, although using portfwd was the correct solution.