Host & Network Penetration Testing: System-Host Based Attacks CTF 1 (EJPT INE)

Hello everyone,

After exploring assessment methodologies through CTF challenges, we are moving on to Host and Penetration Testing. This next phase will delve into identifying and mitigating vulnerabilities within host systems to ensure their security posture. Let’s get started!

Let’s begin with the first question. Both of the initial questions are related to the same host, target1.ine.local.

Q.1 User ‘bob’ might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local)

Before diving into any specific questions, it’s essential to conduct a preliminary reconnaissance. We will start with an Nmap scan to gather details about the target system.

The command we will use is: nmap -sC -sV target1.ine.local

From the Nmap scan results, we can see that port 80 is open and hosting a web server. However, the initial response indicates a 401 Unauthorized status.

Let’s proceed by connecting to the server through a browser.

As the question indicates, the user bobhas not chosen a strong password. We already know the username (“bob”) and now need to enumerate the password. For this, we’ll use Hydra to brute-force the password. The command we will run is:

hydra -l bob -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target1.ine.local http-get /

This command will attempt to crack the password using a dictionary attack from the specified password list.

Now that we know the password, let’s log in to the application using it. The interface looks like this:

Now, we can perform a brute-force attack to gather more details about our target system. The command to use is: dirb http://target1.ine.local -u bob:password_123321

After completing the directory fuzzing, we discovered that /webdav is running on the host.

Let’s navigate to that directory, and we found our first flag there which is:

Flag 1: 4ccc8664b99f44158dd3e42c46ae39eb

Q.2 Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)

From the flag above, we can clearly see that there is a file named test.asp, which indicates that the server accepts .asp file extensions for upload. We can also enumerate this through davtest. davtest is a command used to enumerate the file extensions that can be uploaded to WebDAV.

Command: davtest -auth bob:password_123321 -url http://target1.ine.local/webdav

Having determined that we can upload various file types such as .asp, .txt, .shtml, and .html to the server, we will upload the .asp file to gain access to the shell.

To achieve this, we can use the cadaver tool to upload the file. The command will be: cadaver http://target1.ine.local/webdav

After executing the command, enter the username and password.

We will then upload the .asp file using the following command: put /usr/share/webshells/asp/webshell.asp

We will then open the browser and navigate to /webdav/webshell.asp

As observed, we now have access to our shell. According to the question, valuable files are located on the C drive. Let’s list the contents of the C drive using the following command: dir C:\

And here, we have obtained our second flag. To read the contents of flag2.txt, use the following command:

type C:\flag2.txt

Flag2 : f4369f68b4c049dd8ffe0d2f545ddb2f

Alternatively, another method to obtain this flag is by using a Metasploit module. You can utilize the windows/iis/iis_upload_webdav_upload_asp module.

Q.3 By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag. (target2.ine.local)

The next two questions are based on the target2.ine.local host. First, we will use the nmap tool to gather more information about the host:

From the Nmap results, we know that SMB is running on the default port 445, so we can use the enum4linux command to gather some information. The command will be: enum4linux -a target2.ine.local

However, we couldn’t find anything using enum4linux, as the server doesn’t allow it.

Since we don’t know the username and password, we need to enumerate both. While we can also use the Metasploit framework for this, I’m opting for the hydra tool for faster output.

The command will be: hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt smb://target2.ine.local

After performing the brute-force attack, we discovered various usernames and passwords. Let’s proceed with the administrator credentials.

To connect to the SMB share for the administrator user, use the following command: smbclient -L //target2.ine.local -U administrator

You will be prompted for the password. Enter the administrator password.

Note: After entering the credentials, you might encounter an error such as ‘Logon failed.’ This is due to the brute-force attack. Simply give it some time, and it should resolve.

The administrator has 6 shares. Before accessing any of the shares, let’s check the permissions of each one. To do this, we’ll use the crackmapexec tool.

The command will be: crackmapexec smb target2.ine.local -u administrator -p pineapple --shares

After running the command, we discover that only two shares have read and write permissions: ADMIN$ and C$ .

Since C$ is the default share, let’s explore the contents of the C$ share. The command will be: smbclient //target2.ine.local/C$ -U administrator

After entering the password, to list the contents of the share, type dir .

This is where we find our third flag.

To read the contents of the third flag, first download it to your local device by using the following command: get flag3.txt

Then, use the cat command to read the contents of the file.

FLAG 3: 79b87a8ef8724d9997c774aadaf360a4

Q.4 The Desktop directory might have what you’re looking for. Enumerate its contents. (target2.ine.local)

Finally, for the last flag, the question mentions that we need to enumerate the Desktop directory. Let’s navigate to that directory using the following command:cd Users\Administrator\Desktop\

After that, run the dir command to list all the contents.

Here, we find our last flag.

To read the contents of the third flag, first download it to your local device by using the following command: get flag4.txt

Then, use the cat command to read the contents of the file.

FLAG 4: b3fa315c074d4fa2b7706b22aea22f78

Thank you for following along!

Grateful for your time — see you in the next CTF adventure!