This room is designed by myself and for all the rooms that I will be doing write ups for I will give them a rating based on how CTFy they are and how real life they are.

I will also be outlining basic skills that you should be picking up out of the room.

Metrics Score
CTF 5/10
Realism 6/10

Lessons: Windows File Permissions, reuse of credentials, poorly configured permissions

Task #1

  1. We have to run a nmap scan on the box
    nmap IP -p- -sV -T 5

be58e72abc93494d82526e971dfa9d67

  1. We look at the above nmap scan and figure out which is the correct port for the webserver
  2. We look at the above nmap scan and figure out which is the correct port for the Remote Desktop Service
  3. We look through the website and look at robots.txt file

68ea472aba4249538f805b81a98c5556-1

  1. Quick maths for this one.

  2. We can find this information on the main page of the webserver.

a90dc4eb70ad429eb21181d6f4b41d3d-1

  1. This is an easy one. We just have to Google the verses, we are also provided with the name of the author from the first blog post.

d69585f3a7d143069140d9cff0afa54e

  1. This one is a little bit about deduction. We see that in the second article posted on the blog a user has provided an email address. Noticing the pattern of the email we can put together the email address of the administrator.

2cdaac3a368f4a6ea0f3efc56be01e3e

Task #2

  1. For the first flag, we need need to inspect the element of the article we just viewed

2bd87709f5214298b1091b1975a3a2c0

  1. For this one we need to inspect the element of the search bar

61e0db3d39754096b533ccd19b4865d2

  1. For this one, we need to go to Jane Doe's profile

1449ab013fac42b1ac7a56331d690668

  1. This flag is located in the first blog post
    9dbd20a8f3474dea85ca2e9d1dffce4d

Task #3

  1. After a little bit of trial and error or hopefully knowing that local users cannot to a Windows machine that is not on the domain with an email and with the password that was discovered before they should be able to log in to the box.
    7bcc19e325df428ab75595d3fe3ae9a0

  2. Once the user logs in a file is on the desktop that contains the flag
    66edf801705041459b9cbb28ea2cf431

  3. This is a tricky one. There is a hidden folder on the root of the C:\ that file had the permissions removed however the user has ownership over the file. So he has to give himself permissions to read it.

e6fc8d19c6a1459d96886bdcd201452c

  1. This one can be done in multiple ways:
    a. Remote Desktop to the box again with the Administrator credentials
    b. Run command prompt/ PowerShell as a different user.

b1cfd6d03e4f47ad95f4d61163c65aca

Hopefully now you have completed the room and learned a few lessons.