Today, a second CTF walkthrough for the System-Host Based Attacks CTF 1. This time we have 4 flags :

1. Flag 1: User ‘bob’ might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local)
2. Flag 2: Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)
3. Flag 3: By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag. (target2.ine.local)
4. Flag 4: The Desktop directory might have what you’re looking for. Enumerate its contents. (target2.ine.local)

Judging from the tasks descriptions, we notice that we have 2 targets that are most likely Windows targets; The second flag mentions a C drive and the third talks about SMB so we can confidently assume that we’ll be subject to Windows targets.

So without further ado, let’s get started with the first flag.

Flag 1

User ‘bob’ might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local)

I, of course, started by performing an nmap service version scan on the first target : nmap -sV target1.ine.local -p-.

We notice that among the many open ports, we seemingly have an IIS web-server running on the target; let’s navigate to it, using Firefox, to see what it might be hiding.

We’re met by a login screen. Let’s remember the first flag stating that a user named bob might not have chosen a strong password, let’s try to brute force it using hydra : hydra -l bob -P /usr/share/metasploit-framework/data/wordlists unix_passwords.txt target1.ine.local http-get /.

Okay, we found the credentials : bob:password_123321. Logging in, we’re met by the default IIS web-server front page.

Next step would be to enumerate the directories within the web-server, for that we would use a Metasploit auxiliary scanner, or in this case, since it’s easier to provide credentials, we use dirb : dirb http://target1.ine.local/ -u bob:password_123321.

We find a WebDav directory, that could be interesting. And indeed, navigating to it reveals the first flag.

Flag 2

Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)

Since we have access to a WebDav directory, let’s see if we could exploit it by uploading and executing a webshell through it. First thing to do is to test the target setup for .asp execution : davtest -auth bob:password_123321 -url http://target1.ine.local/webdav/.

We now know that .asp files execute just fine, so let’s upload a webshell using cadaver : cadaver http://target1.ine.local/webdav/.

This provides us with a webshell, that once accessed, gets us the possibility to execute arbitrary commands : type c:\flag2.txt.

Flag 3

By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag. (target2.ine.local)

As always, let’s scan the target and see what kind of services we have running : nmap -sV target2.ine.local -p-.

We already knew that we would be dealing with SMB and the scan pretty much confirms it with the open 445 port. Next step is to use the metasploit auxiliary scanner module for SMB : auxiliary/scanner/smb/smb_login.

Configuring and running the scanner leaves us with 4 credentials, one of which is the Administrator account : administrator:pineapple. Using these credentials we can scan for shares using the module : auxiliary/scanner/smb/smb_enumshares.

We have 6 shares accessible to the administrator, let’s try accessing the default one C$ where we’ll find the third flag : smbclient //target2.ine.local/C$ -U administrator%pineapple

Flag 4

The Desktop directory might have what you’re looking for. Enumerate its contents. (target2.ine.local)

To get this flag, it’s as easy as navigating to the Desktop of the Administrator and finding the file containing the flag.

Conclusion

Fun as always, this one was a bit harder than the previous one but still very straightforward.

I enjoyed it and i hope you will too.