> For the complete documentation index, see [llms.txt](https://notes.cavementech.com/pentesting-quick-reference/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://notes.cavementech.com/pentesting-quick-reference/boxes-machines/ine/host-and-network-penetration-testing-post-exploitation-ctf-2.md). # Host & Network Penetration Testing: Post-Exploitation CTF 2 This lab involves exploiting a Windows target machine. By identifying insecure configurations, cracking hashes, and leveraging privilege escalation techniques, you'll uncover and capture the flags. Challenges include exploiting an insecure SSH user, cracking password hashes, escalating privileges and overcoming restricted access to files. A target machine is accessible at **target.ine.local.** Identify the services and capure the flags. * **Flag 1:** An insecure ssh user named **alice** lurks in the system. * **Flag 2:** Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user? * **Flag 3:** Can you escalate privileges and read the flag in C://Windows//System32//config directory? * **Flag 4:** Looks like the flag present in the Administrator's home denies direct access. The following will be useful: * **Wordist:** /usr/share/wordlists/metasploit/unix\_passwords.txt * **Tool:** /root/Desktop/PrintSpoofer.exe ### **Q.1 An insecure ssh user named alice lurks in the system.** As the question states, there is an insecure user named Alice, so let’s brute-force Alice’s password using the Hydra tool with the command: ``` hydra -l alice -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt ssh://target.ine.local ```

And we have obtained Alice’s password, which is *“princess1”*. Let’s connect to SSH using the command: `ssh alice@target.ine.local` and enter the password when prompted.

Type `dir` to list the contents, and here we have our first flag.

To read the contents, use the command: `type flag1.txt`.

### **Q.2 Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user?** In the above directory, there is a file named **hashdump.txt**. Let’s view its contents using the command: `type hashdump.txt`. Press enter or click to view image in full size

We need to crack the hash of any one of the users. Simply copy the contents, paste them into a file on the local system, and save it as hashdump.txt.

Now we can use the file to crack the hashes. Since these are NTLM hashes, we can use the John tool to crack them with the command: `john --format=NT hashdump.txt`.

And here we have found the password for the david user. Let’s connect to david via SSH using the command: `ssh david@target.ine.local` and enter the password when prompted.

Type `dir` to list the contents, and here we have our second flag.

To read the contents, use the command: `type flag2.txt`.

### **Q.3 Can you escalate privileges and read the flag in C://Windows//System32//config directory?** To obtain the third flag, we need to escalate our privileges. Let’s check our current privileges using the command: ``` whoami /priv ```

We have `SeImpersonatePrivilege`, so we can easily elevate our privileges using PrintSpoofer. The PrintSpoofer executable is already available on our local machine in the `/root/Desktop` directory.

Let’s copy it to our SSH session using the command: ``` scp PrintSpoofer64.exe david@target.ine.local:"C:\\Users\\david\\" ```

And we have successfully transferred the file. Let’s confirm it by using the `dir` command.

Let’s execute the file using the command: ``` PrintSpoofer64.exe -i -c cmd ``` > The command `PrintSpoofer64.exe -i -c cmd` is used to exploit **SeImpersonatePrivilege** in Windows to escalate privileges. Here's a breakdown of its components: > > **`PrintSpoofer64.exe`** → This is the executable file for the **PrintSpoofer** exploit, which leverages the **Print Spooler service** to escalate privileges. > > **`-i`** → Runs the command in **interactive mode**, allowing the user to interact with the elevated session. > > **`-c cmd`** → Specifies the command to execute; in this case, it launches **cmd.exe** (Command Prompt) with elevated privileges.

So we need to enter the config directory using the command `cd config` and then type `dir` to list its contents.

And here we got our third flag which is:

### **Q.4 Looks like the flag present in the Administrator’s home denies direct access.** So the last flag requires us to navigate to the Administrator’s directory. Navigate there using the command: `cd C:\Users\Administrator` and list the contents with `dir`.

Let’s try to navigate to the flag directory, but we don’t have the necessary access permissions.

Let’s check the permissions using the command: ``` icacls flag ``` This command displays the Access Control List (ACL) for the flag directory, showing the permissions granted or denied to different users and groups.

So, as we can see, it has a deny permission for `NT AUTHORITY\SYSTEM`. Let's remove this restriction by using the command: ``` icacls flag /remove:d "NT AUTHORITY\SYSTEM" ```

As we have successfully changed the permission, let’s navigate to the directory and obtain our last flag, which is:

**Thank you, everyone, for reading! I hope this article has been helpful in guiding you through the steps.** **Happy Hacking!**
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/boxes-machines/ine/host-and-network-penetration-testing-post-exploitation-ctf-2.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.