2020 Metasploit Community CTF Write-up

Metasploit Community CTF

The SETUID Ace of Clubs (port 9009)

This challenge started with an unknown login to a server. Login as admin toget started. Turns out, everyone’s favorite admin/password worked. Not tricks, I just guessed. Once logged in, I looked around manually for anything interesting. Later i found some useful CTF and Linux escalation scripts that will help in the future. I soon found that we have an ace_of_clubs.png in the /etc folder, and in interesting vpn_connect executable in the /opt directory.

Our prize awaits with root privileges
Bash-based redirection
Bash reverse shell — but only as our user. :(
Correct User/Pass… overwritten flag. Time to revert!
Ghidra reversed it straight to source code. Beautiful.
Overwriting /etc/passwd
Confirmed root privileges

SpyHunter — Eight of Diamonds (port 5555)

Switching gears. This one is a type of challenge I’ve always wanted to take the time to solve: game automation. When you connect to the port you’re entered into what reminds me of SpyHunter — a driving game where you have to dodge other cars. If your ^ car is hit the game is over and the server tells you you're not as fast as a computer!

Rapid prototyping made easy
drive.py test run
Ready to Drive
Watching it move!

Password Functions — 4 of Clubs

This will be a short write-up, but it took me a long time. Everything you need for the challenge is right here:

The Challenge
Guessing a hash

Game Review — 2 of Spades

This was a straight forward SQL injection challenge with a twist in that the database is SQLLite based vs the more well-known MySQL exploit paths.

Ah, this is SQLite
Enumerate column numbers and output location

Moose Gallery — 6 of Diamonds

File upload bypass and web shell

Don’t mind if I do!
  1. Send a web shell like<?php system( $_GET['cmd']); ?> as content of the uploaded file, and name the file something.jpg.php. This double-extension filename often gets by basic filename filtering as it sees the first ., and ignores the second extension. If successful, and the site isn’t looking at file content it would give us a shell we could do any thing with through requests to the page such as/page.php?cmd=ls ← obviously what we want to happen here! No joy.
  2. The next level is to use a simple GIF image header GIF89a1 in front of your php shell payload, but that didn’t work either.
  3. Exif content fields in jpg images are known to work as well. Let’s go that route.
That directory looks interesting
There’s our flag!

Black Joker — I Hate Salt Password Cracking

This was a fun test of observation and having access to a password cracking setup. It probably wouldn’t take much time for even an underpowered system to solve this one.

Subdomain Brute-Force — 9 of Diamonds

This challenge took alittle Burp guesswork and Host header configuration. When you visit the initial page by IP address you get a redirection to intranet.metasploit.ctf which of course would fail in our browser as we don’t have an entry for that.

Answer Guessing — 3 of Spades

This was one of the first ones solved, but it’s a good example of how quickly brute forced queries can find things. Security through obscurity does not work.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store