Let's exploit a Windows Machine in this Beginner-Level Challenge
This task serves to grab our attention so we can find the 'keys to the castle'. Designed for beginners, no brute-force logins required, just our preferred browswer and RDP.
I choose to use nmap [machine IP] -sS -sC -A -v
-
-sS Default, quick TCP SYN scan. I think this is more out of habit than anything else, as it's one of the first flags I learned :D
-
-sC Performs a script scan with the default set of scripts.
-
-sV Version Detection
-
-A Aggressive Scan - enables additional advanced and aggressive options, including: OS detection (-O), version scanning (-sV), script scanning as stated above (-sC) and traceroute (--traceroute). Basically a comprehensive flag with a set of options. Not sure if it's redundant to use both -sC and -A, or if it would be more observable to use both, or perhaps the use of -A cancels -sC.
-
-v Increase verbosity of output
And with this we can answer Q2 and Q3.
We know that Q4 contains a Hint: "fill in the gap ******.txt". We also know that a particular file lives at the root of our site, a very common file used in SEO to instruct search engine bots how to crawl pages on their website, or essentially where the bots are allowed or not allowed to crawl and index.
Now, we also know that just the presence of this file does not indicate a security vulnerability. That said, it's often used to identify restricted or private areas of a site's contents. Thus, the information in the file may halp an attacker map out the site's contents, especially if the file mentions or identifies locations that are not specifically apparent or linked to from anywhere within the site. The vulnerability presents itself in situations where the application relies on this file to protect/prevent access to certain areas, but access control to the .txt file itself is not protected.
See CWE-200
OK, so, appending this common file to the end of the web link gives us our answer to Q4, as well as a nice list of additional directories that may be useful later!
I'm still green, so did a quick google search to find the answer, based on the info above:
Fairly straightforward, this one.
Again, just reading a bit of the site provides us with the answer after a google search (hint) based on clues in the site:
Again, the hint provided here prompts us to find another email address on the site and assume the administrator follows this same email format. Knowing the administrator's name, and applying this format gives us our answer.
Our beloved admin left some flags behind that we need to gather before proceeding to the next task...
I saw one of these initially, by accident, when viewing the source code for the main site.
Had to click through some links in the source but ultimately found this one in the "We are Hiring" post
This is the one I saw initially, as noted above. Stands out.
Found with respect to "Authors"
Found using Inspector
Let's get into the box using the intel we gathered!
Based on our early findings, we know we can connect to http://[machine IP]/umbraco/ using the info we discovered: *username: (not email) password: from Task 1 above, though not much info using this method. Since we know RDP was introduced at the beginning, seems logical that we should try to use this method using similar username and same password.
I used Remmina for RDP
We get a hint here that it is hidden.
So, we can go to our C drive, or this PC, and try to set "show hidden files and folders" and we get a few new folders, including one called "Backup", with a txt file inside named "restore.txt"
But, unfortunately we don't have access rights to this file.
So, we need to change permissions in the folder by right clicking on the file, selct properties > Security > Edit permissions and select all for "Allow"
Now we can open the file and we have our password for Administrator! And can open the file restore.txt, and answer Q3.
We can now open a cmd prompt as administrator, type in the password from Q3, open the file and get our flag!
Thanks for reading!