Looking for an InfoSec Flex CEH Tutor/Mentor

davetuckmandavetuckman Member Posts: 4 ■■□□□□□□□□
edited May 2020 in CEH
Greetings all,
I am working through the InfoSec Flex CEH course. I am stuck and seeking someone wiser than myself on some of the Capture The Flag Cyber Range tasks that wrap up the course.

There's a total of 4 CTF Cyber Ranges. My current status
  • CTF1 is completed
  • CTF2 I've answered 2 of the 4 questions. need help with remaining 2
  • CFT3 I've answered 3 of the 4 questions. need help with remaining 1
  • CFT4 I've answered 0 of the 2 questions. need help with remaining 2
I think it's simple things that I'm just not connecting the dots on, and looking to learn. If anyone has experience with these and can help, that would be awesome. Happy to pay for someone's time/expertise. Thanks in advance.


  • OnubOnub Member Posts: 3 ■■□□□□□□□□
    Hey Dave! Are you still working through this? I've completed CTF3. And of course, according to the last question for CTF3, you won't be able to get through CTF4. I haven't started it yet but will after I comment. For the last question in CTF3, another hint is to learn how to use the w3m browser. I found an article on howtogeek that described how to go back and forth through pages and then change the url of the pages that you're on. Once you figure this out, you'll be able to use url encoded keys (i.e. %27 = %) to inject linux commands into the DNS query. Hope this helps. As for the other CTFs, I also completed CTF1, CTF2 I have to go back to the last question because I haven't figured it out, and I'm about to work on CTF4 now. Good luck!
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    Howdy davetuckman! I wrote most of those CTF's. How can I be of assistance?

  • OnubOnub Member Posts: 3 ■■□□□□□□□□
    @keatron Perhaps you can help me. I'm still stuck on CTF2 question 4 where i have to find the password for the other FTP account. I found the the file for what I believe to be the other users for the VSFTPD program but there seems to be 4 users in it, which seems to be confusing me. I tried each of these users names with the aux ftp_login brute-force attack. I used several different word lists. However, I can't seem to crack any ftp logins. Can you give me another hint?
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    edited June 2020
    Maybe consider some other approaches. Sometimes lazy developers and sysadmins will leave scripts, cron jobs and other things lying around that have hard coded credentials in them. Also if you've already gotten the first FTP password, consider that you've gotten at least basic access to the machine (as you are currently logged onto it now). If there is a job running using that credential, or if you think other users may be logging into that device from time to time, there ought to be a way to capture their creds when they log in since you're on the box. In a real engagement, you might wait weeks before somebody else logs in and you get those creds, but either way, as a pentester it is a good practice to have ways to set listeners or sniffers to grab anything incoming while you're on that box. Maybe the box has a sniffer or packet analyzer built-in? These hints should get you there. :wink:
  • davetuckmandavetuckman Member Posts: 4 ■■□□□□□□□□
    Greetings men - thanks so much for posting and reaching out. Hope you both are doing well.

    @keatron - here's where I'm stuck. Any assistance you can provide is much appreciated. thank you in advance
    • In CTF2 I've successfully answered questions 1, 2 and 4. In question 3, I am running metasploit exploit/unix/ftp/vsftpd_234_backdoor
      It runs, but asks please specify the password, then completes with no session created. I'm at a loss in what step(s) I'm missing
    • In CTF3 I've successfully answered questions 1 and 2. In question 3, I've tried various SQL injection values in username and password (different combinations) without success
      I understand the goal of the exercise, but not putting it all together.
    • In CTF3, question 4, I haven't been able to get to yet. 
    • In CTF4 I haven't started. I don't know where to start, and that's what made me realize I need a mentor/tutor.
      II can learn it, but I need help on this one.
    Hope that helps. Learned a ton through the whole course but stuck at 95% lol.  Again thanks.

  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    edited June 2020
    @davetuckman In question 3 on ctf2 have you considered looking at some of the auxiliary modules? Like you did in the lab exercises?

    In step 3 of CTF3 you must do actual injection. or 1=1 dash dash might look like or%201=1dashdash.  I didn't include actual dashes as to not get blocked on the forum. Basically you have to account for url encoding for the space. Most people forget that part and not encoding it properly will make your injection fail.  

    Work through these and then worry about step 4 and CTF4. You shouldn't overwhelm yourself trying to mentally digest too much at once. 

    Good luck and hope these help. 
  • davetuckmandavetuckman Member Posts: 4 ■■□□□□□□□□

    In question 3 of CTF2, I do believe I looked at the auxiliary modes but I'll have to dive back in over the weekend and verify.

    In step 3 of CTF3, I was writing the injection command in notepad, then copy/pasting in. It looked correct to me - but I'm obviously still learning. Just let me know if doing it that was a step in the wrong direction. At same time I'll google url encoding so I can ingest it on a deeper level. All part of what I am looking to learn.

    Thank you sir.
  • OnubOnub Member Posts: 3 ■■□□□□□□□□
    Ok. Thanks for your help on CTF2 @keatron.

    Now I'm on CTF4 and I'm not sure what's required for the flag. The flag simply asks, "What is FLAG 1?" 

    I'm not sure if I'm supposed to but the name of a script in here or something else. The hint that the CTF gives is "look at options that can be given to the sudo command." 

    A hint other than those given in the CTF would be greatly appreciated. 

  • davetuckmandavetuckman Member Posts: 4 ■■□□□□□□□□

    For CTF2, question 3, if you can provide any additional direction be much appreciated.

    I've tried vsftpd_234_backdoor and ftp_login. Tried using some of the password lists in /usr/share/wordlists and coming up with nothing.

  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    @davetuckman, i gave a hint on that one in the thread above. I suggested looking around for scripts, files etc. You also may want to consider sniffing on the system to see if anyone else logs in to the ftp service. 

    This is a public forum so others are reading as well. I'm not going to be too specific with hints as others may want to try a little harder on their own, and I'd hate to be the bearer of spoilers. If you want anything more specific, go ahead and send me a private message. 


  • jubeins499jubeins499 Member Posts: 1 ■□□□□□□□□□
    Hi. Could you help me with cft1? when it says To complete this step, enter the domain names of DNS servers, separated by spaces, and hit Enter.
  • keatronkeatron Security Tinkerer Member Posts: 1,213 ■■■■■■□□□□
    Hi. Could you help me with cft1? when it says To complete this step, enter the domain names of DNS servers, separated by spaces, and hit Enter.
    So did you find the authoritative DNS servers and enter them?
Sign In or Register to comment.