Welcome back to what is transforming into a series of articles, documenting an upcoming pentester's journey in acquiring the required skills. This article documents how I went about solving the Host & Network Penetration Testing CTF, specifically the Windows-based target.
The lab was focused on testing the understanding of system or host based attacks, which exploit the vulnerabilities that exist within the configuartion, software or hardware of a specific machine, often leading to the compromise of systems via root or admin privilege escalation
The lab provided 2 target machines and useful wordlists to help in the capturing of the following four flags;
Flag 1
Hint: User 'bob' might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located.
My first step is usually to carry out basic host discovery and enumeration to discover the open ports and services running on the target. Using Nmap, the results were:
The results show a web server, specifically a Microsoft IIS server running on port 80. Trying to access it via a web browser requests authentication with a username and password. With the username being provided in the hint, and a suggestion of a weak password, a brute force attack was the next step. Using hydra, together with the provided username and password wordlist, the weak password is promptly cracked .
With user credentials, next was to find where the flag was located on the server. Scanning with the tool Dirb and the credentials revealed the following directories in the webserver;
Navigating to the webdav directory on the browser revealed the first flag
Flag 2
Hint: Valuable files are often on the C: drive. Explore it thoroughly.
The hint suggests the flag may be located on the C:\ drive. Given we have already gained initial access, and we know the target is running a Microsoft IIS server, the next step is to check if we can exploit this to gain elevated privileges and view the files on the webserver.
I used the tool Davtest to scan the webserver and identify the files that can be uploaded and executed on the server.
The results show that the following types of files can be executed; html, asp and txt. This means we can upload a malicious .asp file to the server and create a backdoor when the file is executed. Using the tool Cadaver and the webshell.asp file provided in the lab environment, I uploaded the malicious file to the target.
We can access and execute the file just uploaded via the web browser, which results in the page below that accepts windows command in the text-box input field. Searching through the C:\ drive as suggested in the hint reveals the second flag, and its obtained using the type command.
Flag 3
Hint:By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag.
The hint mentions guessing credentials, which means a brute force attack to try and obtain credentials to use for authentication. I used the Metasploit module auxiliary/scanner/smb/smb_login to execute a brute force attack on the target and discovered the following credentials, which can be used for privilege escalation.
I initially enumerated the shares using the session opened by the module, by setting the CreateSession option to true and connecting with the share there and found the flag. However, I was curious about another module I had learnt about, psexec. Using the exploit/windows/smb/psexec module, along with the admin credentials obtained in the previous step, I was able to obtain a meterpreter shell. Searching through the files and folders reveals the third flag.
Flag 4
Hint: The Desktop directory might have what you're looking for. Enumerate its contents.
This flag was straight-forward. Navigating to the Desktop folder reveals the last flag, completing the ctf.
Conclusion
This lab was a great exercise in chaining vulnerabilities. We started with a simple web brute-force, pivoted to exploiting WebDAV misconfigurations for a shell, and finally used SMB brute-forcing to gain full system access. It highlights why strong passwords and disabling unused features (like WebDAV) are critical for system hardening.
Tools Used
- Nmap: For initial host discovery and port scanning.
- Hydra: For brute-forcing the web login form.
- Dirb: For directory enumeration to find hidden web paths.
- Davtest: To scan the WebDAV server and identify allowed file uploads.
- Cadaver: A command-line WebDAV client used to upload the malicious shell.
-
Metasploit Framework:
- auxiliary/scanner/smb/smb_login: Used for brute-forcing SMB credentials.
- exploit/windows/smb/psexec: Used to gain a Meterpreter shell.
Thanks for following along, and stay tuned for the next article!
Top comments (0)