CTF 2 - Post-Exploitation

---

Question 1

An insecure ssh user named alice lurks in the system.

Let's perform an Nmap scan on the target and we can see that SSH is running. As hinted at, there is a user with a weak password called Alice. Let's perform a brute-force using Hydra to get the credentials:

hydra -l user -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://target.ine.local

Now that we have the password to the account Alice, we can login via SSH or load the ssh_login Metasploit module to login and upgrade our session to a meterpreter session. Then

Question 2

Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user?

From the previous question, next to the flag, we found a hashdump.txt file. Copy the contents or download it to then crack the credentials using John The Ripper.

john --format=NT hashdump.txt

We have now found credentials for another user called David. Let's login via SSH using those credentials to find the flag.

Question 3

Can you escalate privileges and read the flag in C://Windows//System32//config directory?

To escalate our privileges, we can try running the getsystem command within meterpreter to get admin privileges. Now we can navigate to the directory mentioned in the question to get the flag.

Question 4

Looks like the flag present in the Administrator's home denies direct access.

Let's navigate to the Administrators directory. When we try to navigate into the flag directory, we are denied. To check the permissions of who can access this directory, we can run the command icacls flag. Note that you have to have a normal shell on the system for this to work.

In this case, we can see that NT AUTHORITY\SYSTEM is set to DENY access. We can change this by running the following command:

icacls flag /remove:d "NT AUTHORITY\SYSTEM"

We can now navigate to the flag directory to get the last flag.