eCPPT - Network Penetration Testing Task 4

Hi everyone,

I’m currently working through the eCPPT Network Penetration Testing CTF and I’ve hit a wall on Task 4.

I successfully pivoted from the first compromised machine (server.prod.local) and was able to scan the second target, web.prod.local. I found three open TCP ports there, and while two of them revealed some interesting information, I haven’t been able to identify a clear vulnerability (I thought it would be SPIP, but no luck so far).

I’ve been stuck here for a few days now and would really appreciate a nudge or hint to get me moving in the right direction. Any help would be greatly appreciated!

Thanks in advance!

Joe

Hi all,

just checking back in, unfortunately with no replies so far!

I tried doing the last exploit again, but I still haven’t succeeded! I know SPIP 4.3.1 is vulnerable, and i found several public exploits:

• I found a public metasploit exploit on Packet Storm , but i cannot import it in Metasploit
• I found a Python exploit on GitHub - Chocapikk/CVE-2024-8517: SPIP BigUp Plugin Unauthenticated RCE but i cannot get the dependencies to work on the bricked Guacamole box

I feel like the biggest struggle is the virtual machine INE provides

It’s definitely not a big problem if I don’t catch this one flag, but I’d still like to learn what I could do in a case like this!

Your tips and tricks would be greatly appreciated!

Joe

im in EXACTLY the same situation.

I am stuck on a total of 9 flags on the eCPPT course skill checks :
Client Side Attacks CTF1 - flag 4
Network Penetration Testing CTF1 - flag 4 & 5
Lateral Movement & Pivoting CTF1 - flag 2, 3 & 5
Command & Control (C2/C&C) CTF 1 - flag 1, 2 & 3

I have the rest of the flags so if you would like to exchange notes let me know

Use this script instead, don’t need download dependencies

I have no idea how to get flag5 after using my method above to get flag 4. I checked user’s .plan file by finger, it have the auditor’s private key can login, but it cannot login root and cannot view root user home directory, anyone have idea?

You have to login first as an auditor, then sudo -l, there is an entry like: (ALL) NOPASSWD: /usr/bin/pip install *, look for this bin in GTFObins. Good luck.

I don’t really understand how to get the 4th flag. I you can explain me the the theory I could understand it and try to apply it to exploit the vulnerable service. :C

copy the code from above mentioned github repository , create a file ( exploit.py for instance), paste the code, chmod +x and execute it with target ip address like: python3 exploit.py http://10.11.12.13

stuck at getting in as auditor any suggestions on this one?

Thanks

finally worked it out

great lab learned alot!!!

Flag 4 - Use the find /flag.txt

Flag 5 -

find / -type f \( -name “id_rsa” -o -name “id_dsa” -o -name “id_ecdsa” -o -name “id_ed25519” -o -name “*_key” \) 2>/dev/null

create a .txt file with the ssh private key

proxychains ssh -i /root/ssh.txt auditor@targetip [*] exec: proxychains ssh -i /root/ssh.txt auditor@targetip

authenticate

sudo -l will show you the gtfbin you can use for privilege escalation

search pip on gtfobin for sudo

find / -name flag5.txt 2>/dev/null

cd /root

cat flag5.txt

Good lab!

find /var/opt/.backups -type f -exec ls -l {} ; use this find command after you got flag 4 with the linux shell it will help