2024 Business CTF - Vault of Hope: Swarm
Challenge Information
| Attribute | Details |
|---|---|
| Event | 2024 Business CTF - Vault of Hope |
| Category | Full Penetration Test |
| Challenge | Swarm |
| Difficulty | Hard |
Summary
Swarm is a full penetration test challenge involving comprehensive enumeration of multiple HTTP services running on different ports (80 and 5000) and SSH access (port 22). The challenge requires systematic reconnaissance, vulnerability identification, and exploitation. The extensive reconnaissance phase provides detailed information about service versions, technologies, and potential attack vectors.
Analysis
Discovered Services:
-
SSH (Port 22):
- Service: OpenSSH
- Used for: Remote shell access
- Exploitation methods: Brute-forcing, credential abuse, SSH key injection
-
HTTP (Port 80):
- Service: nginx
- Technology: Static website or application
- Enumeration targets: Directories, virtual hosts, file extensions
-
HTTP (Port 5000):
- Service: Alternative HTTP service
- Potential frameworks: Flask, Node.js, Python web application
- Discovery paths: Web root enumeration, technology identification
Enumeration Strategy:
The challenge notes include comprehensive enumeration commands for both ports:
# Port 80 enumerationferoxbuster -u http://swarm.htb:80 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -r
# Port 5000 enumerationferoxbuster -u http://swarm.htb:5000 -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ -x "txt,html,php,asp,aspx,jsp" -v -k -n -e -rSolution
Phase 1: Initial Reconnaissance
-
Port Scanning:
Terminal window nmap -sC -sV swarm.htb# Identifies open ports and services -
Service Enumeration:
Terminal window # Check HTTP response headerscurl -I http://swarm.htb:80curl -I http://swarm.htb:5000
Phase 2: HTTP Enumeration (Port 80)
-
Technology Identification:
Terminal window whatweb http://swarm.htb:80nikto -h http://swarm.htb:80 -
Directory Enumeration:
Terminal window feroxbuster -u http://swarm.htb:80 -t 10 \-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \-x "txt,html,php,asp,aspx,jsp" -v -k -n -e -r -
Virtual Host Discovery:
Terminal window ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \-u http://swarm.htb -H "Host: FUZZ.swarm.htb" -fs 187
Phase 3: HTTP Enumeration (Port 5000)
-
Service Identification:
Terminal window whatweb http://swarm.htb:5000nikto -h http://swarm.htb:5000 -
Application Directory Scan:
Terminal window feroxbuster -u http://swarm.htb:5000 -t 10 \-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \-x "txt,html,php,asp,aspx,jsp" -v -k -n -e -r
Phase 4: SSH Enumeration (Port 22)
-
Version Detection:
Terminal window nmap -sV -p 22 swarm.htbssh -v swarm.htb -
Brute-Force Attempts:
Terminal window hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \-P /usr/share/seclists/Passwords/darkweb2017-top100.txt \-e nsr -s 22 -o hydra_ssh.txt ssh://swarm.htbmedusa -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt \-P /usr/share/seclists/Passwords/darkweb2017-top100.txt \-e ns -n 22 -O medusa_ssh.txt -M ssh -h swarm.htb
Phase 5: Vulnerability Identification
Based on enumeration results:
-
Known Vulnerabilities:
- Research identified service versions
- Check for public exploits
- Test common misconfigurations
-
Web Application Vulnerabilities:
- Test discovered endpoints for injection flaws
- Check for authentication bypass
- Identify upload functionalities
Phase 6: Exploitation
Depending on discovered vulnerabilities:
-
Remote Code Execution:
- Via web application vulnerability
- Via service-specific exploit
-
Authentication Bypass:
- Weak credentials
- Credential stuffing
- Authentication flaws
-
File Inclusion/Traversal:
- Access sensitive files
- Retrieve application source code
Phase 7: Post-Exploitation
-
Privilege Escalation:
Terminal window sudo -lfind / -perm -4000 2>/dev/null -
Proof of Compromise:
Terminal window cat /root/root.txt
Enumeration Commands Reference
feroxbuster (recommended for recursive enumeration):
feroxbuster -u http://swarm.htb -t 10 -w wordlist.txt -x extensions -v -k -n -e -rgobuster (alternative):
gobuster dir -u http://swarm.htb -w wordlist.txt -x php,html,txtnikto (CGI and server vulnerabilities):
nikto -h http://swarm.htb:80whatweb (technology fingerprinting):
whatweb http://swarm.htb:80Key Takeaways
- Multiple HTTP services on different ports require independent enumeration
- SSH brute-forcing should use relevant wordlists with common credentials
- Technology fingerprinting helps identify version-specific vulnerabilities
- Recursive directory enumeration reveals deeper application structure
- Virtual host enumeration may expose additional attack surfaces
- Service-specific tools (nikto, whatweb) complement generic scanners
- Credential bruteforcing against SSH may succeed before exploitation
- Systematic approach to enumeration prevents overlooking attack vectors
- Documentation of all enumeration results aids in exploitation planning