Welcome to the second System-Host Based Attacks CTF 2 lab from eJPT. This will be a walkthrough guide of how to complete each task. Let’s get started!
Attacking IP: 192.73.138.2
Target IPs: target1.ine.local - 192.73.138.3
target2.ine.local - 192.73.138.4
We start off with an nmap and dirb scan to see what environments we’re working with.
nmap -sV -sC 192.73.138.3
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-11 22:34 IST
Nmap scan report for target1.ine.local (192.73.138.3)
Host is up (0.000026s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
|_http-server-header: Apache/2.4.6 (Unix)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Browser Detector
MAC Address: 02:42:C0:49:8A:03 (Unknown)
dirb <http://target1.ine.local>
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Jan 11 22:35:50 2026
URL_BASE: <http://target1.ine.local/>
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: <http://target1.ine.local/> ----
+ <http://target1.ine.local/cgi-bin/> (CODE:403|SIZE:210)
+ <http://target1.ine.local/index.html> (CODE:200|SIZE:517)
==> DIRECTORY: <http://target1.ine.local/static/>
After some initial enumeration with nmap and dirb and not finding anything super obvious we should continue enumerating and go look at the website.
Coming across this browser.cgi gives us a clue on how we can approach this. When we see .cgi we need to understand that this is a dynamic endpoint and could be susceptible to an injection attack. We can use a tool like burpsuite to test this theory and see if we can inject commands into this site to gain knowledge or access.
Let’s fire up burpsuite and capture some traffic from the URL we just visited and see what we can manipulate. We can start with changing the User Agent field with this command and see if it returns some results.