ParrotCTFs Rejetto Walkthrough

Another Linux Machine Rejetto from ParrotCTFs , this room is release arena you can also try it if you want , Here : Machine Link , its very straight forward solution to rooting the machine . This machine is targeting the personal, starting in cybersecurity.

Name	Rejetto
Difficulty	Easy
Category	Server Side Template Injection
Description	A classic file-sharing service hums along, offering simple access to a few public resources. It looks stable, even nostalgic, perhaps a relic from another era. But age often brings oversight. Explore its behavior, peek into its features, and you might just find something that wasn’t meant to be shared

So let’s start:

• First we can connect with the vpn

• now we can start the machine ( if machine not seems to work , do reset and try again )

# Enumeration

• let’s first start with the basic nmap scan …

┌──(kali㉿kali)-[~/Downloads]
└─$ nmap -sC -sV -p- 10.73.0.27 --min-rate=1500
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 06:28 EDT
Nmap scan report for 10.73.0.27
Host is up (0.20s latency).
Not shown: 65521 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          HttpFileServer httpd 2.3m
|_http-server-header: HFS 2.3m
|_http-title: HFS /
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
7680/tcp  open  pando-pub?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: REJETTO-HTTP-FI, NetBIOS user: <unknown>, NetBIOS MAC: bc:24:11:d5:52:0b (Proxmox Server Solutions GmbH)
| smb2-time: 
|   date: 2025-05-13T11:28:53
|_  start_date: N/A
|_clock-skew: -7d23h03m14s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 224.53 seconds

• i find out the at port 80 , HttpFileServer(HFS) httpd 2.3 service is running and other ports are open too .
• i search this service name on the google and find out that version is vulnerable and assigned a cve ( CVE-2024-23692 ) .

• then i look in to the metasploit for module to this vulnerability .
• and i find out one .

# Exploitation

• let’s select the module and see the options for this module , which have to be set before running this .

• now i had setup all the options required for this module , let’s exploit it ( we can also check before running this , that it is indeed vulnerable or not and it is bytheway)

• now i have shell of Administrator ( you can check help menu for command in metasploit )

• as i get shell as administrator , now we can access both user flag and root flag without privilege Escalation .
• we can also get the native cmd shell using shell command in metasploit.
• i also note that jady is the user for this machine, from his desktop folder we have to extract the user flag .

• root flag .

# Final Thoughts

I hope this blog continues to be helpful in your learning journey!. If you find this blog helpful, I’d love to hear your thoughts — my inbox is always open for feedback. Please excuse any typos, and feel free to point them out so I can correct them. Thanks for understanding and happy learning!. You can contact me on Linkedin and Twitter
linkdin
Twitter
Machine Platform