CTF 1 - The Metasploit Framework
Question 1
Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag.
Firstly, let's run an Nmap scan. We can see that an mssql 2012 server is open on port 1433. We can search in Metasploit for mssql 2012. We will use the exploit module mssql_clr_payload. We need to now change the payload to a 64-bit payload:
set payload windows/x64/meterpreter/reverse_tcpNow that we have a meterpreter session, let's open up a shell and navigate to the root of the C: drive. Now list out the files and we have our first flag.
Question 2
Locate the second flag within the Windows configuration folder.
Navigate to C:\Windows\System32 and then to list out only the directories, use dir /a:d to do so. We do not have privileges to access the config folder. Let's terminate the session and head back to our meterpreter session and then list out our privileges with getprivs.
Since we have the SeImpersonatePrivilege privilege, we can run the command getsystem to elevate our privileges. Now let's open up another shell and access the config folder to get the flag.
Question 3
The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag.
To search through the system directory for text files:
dir C:\Windows\System32\*.txt /s /bThis will only show the text files that are there. We can then copy the file path to the file EscalatePrivilageToGetThisFlag.txt file and view the contents with:
type C:\Windows\System32\drivers\etc\EscaltePrivilageToGetThisFlag.txtQuestion 4
Investigate the Administrator directory to find the fourth flag.
Now lets navigate to the C:\Users\Administrator\Desktop to find the last flag.
Last updated