Windows Security CTF: [Dec 4 — Dec 8]

6 min readDec 10, 2020

This the Walkthrough Windows Security CTF, basically the Pentester Academy has an event every week for the CTF.

The Windows Security CTF event has ended, but you still can found and access here: https://attackdefense.pentesteracademy.com/challengedetails?cid=2143

When you visit the link you need to login Pentester Academy first before you can run/start the lab. The lab will terminate after 1 hour (Windows Lab), therefore you will have to start another lab. They will provide with kali machine without internet access, all the tools required for solving the CTF are available on the Kali machine.

The Objective: Capture and verify 9 flags.

The IP Address Kali Machine: 10.10.12.2

The Target Machine:

IP Address 1: 10.0.19.228
IP Address 2: 10.0.17.180

Step 1. The first IP Address, when opening on the web browser, we found the server running HTTP File Server (HFS) 2.3

When looking at this service, search if the version has a vulnerability. Example on the Exploit-DB ID: 34668 or 39161.

Step 2. Or, if you want to use Metasploit, just start msfconsole, search, and use the rejetto hfs exec exploit. On firing the exploit a command shell session will be established.

Command:

Note: I have identified, the port 4444 blocks by the server, so I use port 4443.

Step 3. The new Meterpreter session has been opened. This session can be used to find and retrieve the flag 1–6 hidden on this machine.

Step 4. Flag 1 is the OS Version. When you have a shell, you can use the `systeminfo` on the Command Prompt to get information related to the windows machine.

Command:

Step 5. Flag 2 and 3. Some of the flags can be identified by prefix flag*, and we found inside the folder desktop for user `sysadmin`, and `administrator`.

Command:

Command:

Step 6. We need to privilege escalation to get Flag 4 and 5. And after checking the target machine, inside the machine have stored credential.

Command:

Step 7. Create new a reverse shell with msfvenom to run the shell as administrator.

Command:

Step 7. Upload shell to the public directory.

Command:

Step 8. Set a new listener for the new reverse shell.

Command:

Step 9. Run the new reverse shell with the stored credential administrator.

Command:

Step 10. The new session has opened as the administrator user.

Command:

Step 11. Another way, if the directory only can be open with the administrator user.

Command:

Step 12. Upload Mimikatz to the server. The script has been provided inside the Kali machine.

Step 13. Running the Mimikatz to find the flag 4 NTLM hash `Administrator` and flag 5 `WebAdmin` user.

Command:

Step 14. When I was checking another way to find another flag, I just realize the RDP port 3389 is open, so using Mimikatz, in this case, we can search the administrator password.

Command:

Step 15. Login RDP using xfreerdp tools with username `administrator` and password `abcdef_123321`.

Command:

Step 16. Search file contains the password `remoteadmin` user.

Command:

Step 17. Open the file, and search the string `remoteadmin`. We found the file in the command history Powershell contain with the password.

Command:

Step 18. IP Address 2, found RDP port 3389.

Command:

Step 19. Login to RDP Target Machine IP Address 2, with username `remoteadmin` and password `wtcjWJzNMu4doa4vHTd` from the Target Machine IP Address 1.

Command:

Step 20. Find the flag 7 on desktop `remoteadmin` user, and open the file.

Step 21. Go to directory C:\Users\Administrator, because we have a login to the RDP, and the `remoteadmin` user has privilege as an administrator, we don’t need to bypass UAC, we can click Continue.