Host & Network Penetration Testing: Exploitation CTF 3

Welcome to the Exploitation CTF 3 lab by eJPT. This writeup will act as a guide to help you find a correct path to each flag.

Attacker IP: 192.119.27.2

Target IPs: target1.ine.local - 192.119.27.3

                target2.ine.local -

Flag 1: A vulnerable service maybe running on target1.ine.local. If exploitable, retrieve the flag from the root directory.

Ok so this task seems straight forward. We’re being told we have a vulnerable service and the flag is in the root directory.

nmap -sV -sC 192.119.27.3

Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-15 06:11 IST
Nmap scan report for target1.ine.local (192.119.27.3)                                                                                                                                                                                      
Host is up (0.000026s latency).                                                                                                                                                                                                            
Not shown: 998 closed tcp ports (reset)                                                                                                                                                                                                    
PORT   STATE SERVICE VERSION
                                                                                                                                                                                                               
21/tcp open  ftp     ProFTPD 1.3.5
                                                                                                                                                                                                         
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))                                                                                                                                                                                        
|_http-server-header: Apache/2.4.41 (Ubuntu)                                                                                                                                                                                               
|_http-title: Apache2 Ubuntu Default Page: It works                                                                                                                                                                                        
MAC Address: 02:42:C0:77:1B:03 (Unknown)                                                                                                                                                                                                   
Service Info: OS: Unix

We find an interesting web server that’s telling us to replace this file path. Let’s dig into this more.

{016DB91A-E50E-4608-886C-300C0EDA7DCD}.png

Let’s fire up metasploit and search for the ProFTPD service.

service postgresql start && msfconsole -q

Starting PostgreSQL 16 database server: main.
msf6 > search proftpd

Matching Modules
================

   #   Name                                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                                 ---------------  ----       -----  -----------
   0   exploit/linux/misc/netsupport_manager_agent                          2011-01-08       average    No     NetSupport Manager Agent Remote Buffer Overflow
   1   exploit/linux/ftp/proftp_sreplace                                    2006-11-26       great      Yes    ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   2     \\_ target: Automatic Targeting                                     .                .          .      .
   3     \\_ target: Debug                                                   .                .          .      .
   4     \\_ target: ProFTPD 1.3.0 (source install) / Debian 3.1             .                .          .      .
   5   exploit/freebsd/ftp/proftp_telnet_iac                                2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   6     \\_ target: Automatic Targeting                                     .                .          .      .
   7     \\_ target: Debug                                                   .                .          .      .
   8     \\_ target: ProFTPD 1.3.2a Server (FreeBSD 8.0)                     .                .          .      .
   9   exploit/linux/ftp/proftp_telnet_iac                                  2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   10    \\_ target: Automatic Targeting                                     .                .          .      .
   11    \\_ target: Debug                                                   .                .          .      .
   12    \\_ target: ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1          .                .          .      .
   13    \\_ target: ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)  .                .          .      .
   14    \\_ target: ProFTPD 1.3.2c Server (Ubuntu 10.04)                    .                .          .      .
   15  exploit/unix/ftp/proftpd_modcopy_exec                                2015-04-22       excellent  Yes    ProFTPD 1.3.5 Mod_Copy Command Execution
   16  exploit/unix/ftp/proftpd_133c_backdoor                               2010-12-02       excellent  No     ProFTPD-1.3.3c Backdoor Command Execution

Interact with a module by name or index. For example info 16, use 16 or use exploit/unix/ftp/proftpd_133c_backdoor

msf6 > use 15

Great, we found one that should work. Let’s select it and setup our options.