Target Environment Overview

Initial access was obtained through Sunflower remote management credentials on an unattended operations machine. The objective involves internal network penetration with three flags: flag1 on a DMZ web server user desktop, flag2 in the administrator folder on the same web server, and flag3 in C:\flag on a core data network file server. Scoring is 300, 300, and 400 points respectively.

Acquiring Flag1 from DMZ Web Server

Network Discovery

After accessing the operations machine via Sunflower, network configuration was checked using ipconfig. The machine resided in the 192.168.23.0/24 subnet. A network sweep with nmap -sn 192.168.23.0/24 identified the target web server at 192.168.23.130.

Port Scanning and Service Identification

A port scan was executed with nmap -sS -p 1-10000 -v 192.168.23.130. Among the open ports, 4498 and 5040 required further investigation. Service detection via nmap -p 4498,5040 -sV 192.168.23.130 revealed that port 4498 hosted ms-wbt-server (Microsoft Remote Desktop Services).

Credential Brute-Forcing and Access

Using Hydra, the RDP service was attacked with hydra -l guest1 -p guest1 -t 1 -w 1 rdp://192.168.23.130:4498, confirming the credentials. Remote Desktop Connection was used to access the server, and flag1 was retrieved from the user's desktop.

Escalating to Flag2 on Web Server

Privilege Escalation Approach

Access to the administrator folder was denied. Browser password extraction was attempted using HackBrowserData, successfully recovering the administrator password @Asdf1234.

Gaining Administrative Access

With the obtained credentials, an elevated command prompt was launched. This provided access to the administrator user folder, allowing flag2 to be collected.

Lateral Movement to Flag3 on Core Data Server

Internal Network Reconnaissance

A check of the web server's network interfaces revealed an additional subnet: 192.168.171.0/24. A host discovery scan (nmap -sn 192.168.171.0/24) found an active host at 192.168.171.129.

Credential Harvesting and Cracking

Mimikatz was executed with elevated privileges to dump password hashes from the Local Security Authority (LSA):

privilege::debug
token::elevate
lsadump::sam
exit

The resulting NTLM hashes were saved to a file. Hashcat was used to crack them with the command:

hashcat -m 1000 -a 0 -o cracked.txt --force hash_list.txt password_dictionary.txt

This revealed the cleartext password @ASDFqwer123 for the user asdfqwer.

Establishing IPC Connection and Retrieving Flag

An IPC connection was established to the target file server using the cracked credentials:

net use \\192.168.171.129\IPC$ "@ASDFqwer123" /user:"asdfqwer"

Finally, flag3 was read directly from the remote filesystem:

type \\192.168.171.129\c$\flag\flag3.txt