Welcome to the Vulnerability Assessment CTF 1 room of the eJPT lab series. Let’s get started!
The first task wants us look into directories to find our first flag. First we’ll start with our usual nmap scan and then move into directory enumeration so we don’t miss anything.
nmap -sV -sC 192.181.90.3
Starting Nmap 7.92 ( <https://nmap.org> ) at 2026-01-08 21:17 IST
Nmap scan report for target.ine.local (192.181.90.3)
Host is up (0.000027s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-git:
| 192.181.90.3:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ <https://github.com/fermayo/hello-world-lamp.git>
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-robots.txt: 8 disallowed entries
| passwords/ config.inc classes/ javascript/
|_owasp-esapi-php/ documentation/ phpmyadmin/ includes/
3306/tcp open mysql MySQL 5.5.47-0ubuntu0.14.04.1
| mysql-info:
| Protocol: 10
| Version: 5.5.47-0ubuntu0.14.04.1
| Thread ID: 8
| Capabilities flags: 63487
| Some Capabilities: LongColumnFlag, FoundRows, SupportsCompression, ODBCClient, Speaks41ProtocolOld, SupportsLoadDataLocal, IgnoreSigpipes, InteractiveClient, ConnectWithDatabase, Speaks41ProtocolNew, Support41Auth, DontAllowDatabaseTableColumn, LongPassword, SupportsTransactions, IgnoreSpaceBeforeParenthesis, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: C4uvoJe=@feFlpnU@}yg
|_ Auth Plugin Name: mysql_native_password
MAC Address: 02:42:C0:B5:5A:03 (Unknown)
Above we can see two ports were found, 80 and 3306 with some interesting paths found in the robots.txt file. We should also note the .git/ path as well in this scan since it may be relevant later. I’ve also listed the robots.txt file below for better organization. In a later task we’ll revisit this list for further enumeration.
User-agent: *
Disallow: passwords/
Disallow: config.inc
Disallow: classes/
Disallow: javascript/
Disallow: owasp-esapi-php/
Disallow: documentation/
Disallow: phpmyadmin/
Disallow: includes/
Focusing on this task let’s go back to enumerating and run a directory scan with dirb.
dirb <http://target.ine.local>
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Jan 8 21:29:21 2026
URL_BASE: <http://target.ine.local/>
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: <http://target.ine.local/> ----
+ <http://target.ine.local/.git/HEAD> (CODE:200|SIZE:23)
==> DIRECTORY: <http://target.ine.local/ajax/>
+ <http://target.ine.local/cgi-bin/> (CODE:403|SIZE:291)
==> DIRECTORY: <http://target.ine.local/classes/>
==> DIRECTORY: <http://target.ine.local/config/>
==> DIRECTORY: <http://target.ine.local/data/>
==> DIRECTORY: <http://target.ine.local/documentation/>
==> DIRECTORY: <http://target.ine.local/images/>
==> DIRECTORY: <http://target.ine.local/includes/>
+ <http://target.ine.local/index.php> (CODE:200|SIZE:52794)
One of our first results is the same .git/ path we saw in our nmap scan. Let’s investigate by checking its path.
FLAG1_b28064bcae054ccbac914858ae757e90