Welcome to the Metasploit Framework CTF 2 lab in the eJPT course. Let’s jump into it!

Attacker IP: 192.68.234.2

Target IPs: target1.ine.local - 192.68.234.3

                target2.ine.local - 192.68.234.4

• Flag 1: Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.

We’ll start with our standard nmap script. As the task stated we notice an RSYNC service on open port 873 so this is likely our attack path.

nmap -sV -sC 192.68.234.3

Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-13 04:39 IST
Nmap scan report for target1.ine.local (192.68.234.3)
Host is up (0.000027s latency).
Not shown: 999 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
873/tcp open  rsync   (protocol version 31)
MAC Address: 02:42:C0:44:EA:03 (Unknown)

We can use the rsync tool to enumerate the target. Below we can see that we grabbed the banner that included the flag and what looks like a backup directory we’ll likely need later.

rsync rsync://target1.ine.local
backupwscohen   FLAG1_8e04b8947e8c45c7be75ff5a42dd29f1

• Flag 2: The files on the RSYNC server hold valuable information. Explore the contents to find the flag.

Our clue sounds clearly related to the last task and that backupwscohen directory. We can take that directory and add it to our rsync command to enumerate the server further.

rsync rsync://target1.ine.local/backupwscohen

drwxr-xr-x          4,096 2026/01/13 04:03:51 .
-rw-r--r--             20 2024/10/28 15:05:40 TPSData.txt
-rw-r--r--             25 2024/10/28 15:05:40 office_staff.vhd
-rw-r--r--             39 2026/01/13 04:03:51 pii_data.xlsx