Welcome to the second lab writeup of the eJPT. Let’s get started!
Objective: Perform reconnaissance on the target and capture all the flags hidden within the environment.
Attacking IP: 192.195.89.2
Target: http://target.ine.local - 192.195.89.3
Flags to Capture:
We’ll start off with our nmap scan to see what we can find. The first task sounds like a server will provide us with some kind of response that is the flag. I like using the -sV and -sC options with nmap because together they provide more detail and service enumeration of the scan.
In the scan below we can see that the first flag was produced on two occasions.
nmap -sV -sC target.ine.local
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 22 Oct 28 2024 creds.txt
|_-rw-r--r-- 1 0 0 39 Jan 04 23:17 flag.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.195.89.2
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a5:93:0f:6b:5a:77:f1:77:e8:2e:c9:31:e7:df:66:06 (ECDSA)
|_ 256 b6:0d:e4:92:36:30:79:b7:31:91:3b:a0:1f:c1:ee:85 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: localhost.members.linode.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2024-10-28T06:10:50
|_Not valid after: 2034-10-26T06:10:50
|_ssl-date: TLS randomness does not represent time
80/tcp open http Werkzeug/3.0.6 Python/3.10.12
| http-robots.txt: 3 disallowed entries
|_/photos /secret-info/ /data/
|_http-title: CTF Challenge
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.6 Python/3.10.12
| Date: Sun, 04 Jan 2026 23:31:35 GMT
| Content-Type: text/html; charset=utf-8
| Content-Length: 2557
| Server: FLAG1_ddfac9a351d14d979616b82173b129a3
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <link rel="shortcut icon" href="#">
| <title>CTF Challenge</title>
| <style>
| body {
| font-family: 'Arial', sans-serif;
| margin: 0;
| padding: 0;
| background-color: #1c1c1c;
| color: #fff;
| background-color: #333;
| padding: 15px;
| text-align: center;
| list-style: none;
| margin: 0;
| padding: 0;
| display:
| HTTPOptions:
| HTTP/1.1 200 OK
| Server: Werkzeug/3.0.6 Python/3.10.12
| Date: Sun, 04 Jan 2026 23:31:35 GMT
| Content-Type: text/html; charset=utf-8
| Allow: GET, OPTIONS, HEAD
| Server: FLAG1_ddfac9a351d14d979616b82173b129a3
| Content-Length: 0
|_ Connection: close
|_http-server-header: Werkzeug/3.0.6 Python/3.10.12
143/tcp open imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2024-10-28T06:10:50
|_Not valid after: 2034-10-26T06:10:50
|_imap-capabilities: SASL-IR ENABLE post-login capabilities more Pre-login have IDLE listed ID OK IMAP4rev1 LOGIN-REFERRALS LOGINDISABLEDA0001 LITERAL+ STARTTLS
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=localhost
| Subject Alternative Name: DNS:localhost
| Not valid before: 2024-10-28T06:10:50
|_Not valid after: 2034-10-26T06:10:50
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: SASL-IR ENABLE post-login capabilities AUTH=PLAINA0001 more IDLE have ID listed IMAP4rev1 LOGIN-REFERRALS Pre-login LITERAL+ OK
3306/tcp open mysql MySQL 8.0.39-0ubuntu0.22.04.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.39_Auto_Generated_Server_Certificate
| Not valid before: 2024-10-28T06:11:13
|_Not valid after: 2034-10-26T06:11:13
| mysql-info:
| Protocol: 10
| Version: 8.0.39-0ubuntu0.22.04.1
| Thread ID: 14
| Capabilities flags: 65535
| Some Capabilities: FoundRows, ConnectWithDatabase, Speaks41ProtocolNew, Support41Auth, SupportsTransactions, LongColumnFlag, LongPassword, Speaks41ProtocolOld, SupportsCompression, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SwitchToSSLAfterHandshake, DontAllowDatabaseTableColumn, InteractiveClient, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: 2o'g7j\\x1FVor@"Xk0\\x10,b\\x1DE
|_ Auth Plugin Name: caching_sha2_password
Before we move onto the next challenge we should take note of the other details from our scan that will help us later.