Open in app

Sign in

Write

Sign in

SystemSpoils Parrot CTF

Musyoka Ian
5 min readJun 17, 2024

--

Hello guys welcome back to another walkthrough by parrot CTF called systemspoils. The challenge has been rated as medium but in my opinion it’s a simple challenge. You start of by running a nmap scan on the box and discover a couple of interesting ports. The ones we are mostly interested in are SMB port 445, HTTP port 80 and RDP port 3389. On performing a directory brute forcing on port 80 we get some credentials that works on both SMB share and RDP. Using the credentials we login to the server and on running whoami /all we discover that we are in the administrator’s group hence we can get both user and root flag

On running nmap using the below flags we discover a few ports that are open. The command that we use was

nmap -sC -sV -oA nmap/systemspoils 10.14.3.204
# Nmap 7.94SVN scan initiated Sun Jun 16 15:23:54 2024 as: nmap -sC -sV -oA nmap/systemspoils 10.14.3.204
Nmap scan report for 10.14.3.204
Host is up (0.28s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: DESKTOP-UCP7MTV
|   NetBIOS_Domain_Name: DESKTOP-UCP7MTV
|   NetBIOS_Computer_Name: DESKTOP-UCP7MTV
|   DNS_Domain_Name: DESKTOP-UCP7MTV
|   DNS_Computer_Name: DESKTOP-UCP7MTV
|   Product_Version: 10.0.19041
|_  System_Time: 2024-06-16T19:27:42+00:00
| ssl-cert: Subject: commonName=DESKTOP-UCP7MTV
| Not valid before: 2024-06-13T20:05:41
|_Not valid after:  2024-12-13T20:05:41
|_ssl-date: 2024-06-16T19:27:48+00:00; -1m30s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-16T19:27:42
|_  start_date: N/A
|_nbstat: NetBIOS name: DESKTOP-UCP7MTV, NetBIOS user: <unknown>, NetBIOS MAC: 00:ff:50:b2:e8:71 (unknown)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: -1m30s, deviation: 0s, median: -1m30s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 16 15:29:19 2024 -- 1 IP address (1 host up) scanned in 324.56 seconds

I started by trying to enumerate SMB share and check if null authentication was enabled. I used netexec which can be installed from the below github directory

https://github.com/Pennyw0rth/NetExec.git

The command i used was

netexec smb 10.14.3.204 -u anonymous -p "" --shares

Looking the the screenshot below it failed.

Netexec

It appears to be a dead-end since we need valid credentials to access SMB Share. I decided to start by enumerating the Web Application. On opening the web application we get a default iis page

I performed directory brute forcing using feroxbuster

https://github.com/epi052/feroxbuster.git

And the command used was

feroxbuster --url http://10.14.3.204/ -w /usr/share/wordlists/dirb/common.txt

We get a directory called employees that has some usernames and passwords in profile.txt

I took all the usernames and passwords and created a wordlist. The performed a brute force attach using netexec.

If the server allows you first confirm the account lockout policy to ensure that you are now locking out user accounts while performing a brute force attack OR pick a couple of usernames first to use at test data. This will prevent user accounts from being locked out

Given this is a CTF i just performed a brute force attach using netexec and the command

netexec smb 10.14.3.204 -u users -p password --continue-on-success

We get a valid account for Jessica. Remember initially we had access RDP We can try and see if the credentials will work. The Remote desktop client i like using is called Remmina but rdesktop and xfreerdp still works fine

On trying the credentials they work we have access to the server

RDP

On opening the user file we get the user flag on the box

On running the command

whoami /all

We notice are an in the administrator’s group

I opened a second command prompt as administrator and on pillaging through the file system we get the root flag in DefaultAppPool

And the box is pretty much done. If you liked the walkthrough clap for me down below and follow me so that you don’t miss any upcoming walkthroughs

Parrot Ctfs
Samba
Rdp
Netexec
Ctf Writeup

--

--

Musyoka Ian

Written by Musyoka Ian

716 Followers

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams