Lateral Movement & Pivoting CTF 1 - can only get flag 1!

paultalbot9-7d9aa1bb · August 3, 2025, 10:40am

so i feel like my confidence has completely drained, i can only find the first flag (out of 5) for this lab. any help would be appreciated

saadmoizhassan6-1277 · August 8, 2025, 7:28am

You need to focus on Both ports open you can either get shell by msconsole or can use Creds to authenicate.

paultalbot9-7d9aa1bb · August 8, 2025, 11:52am

thanks, i will try again.

saadmoizhassan6-1277 · August 11, 2025, 6:30am

where you find your flag4 there i sthe hash file there left on tha first machine you neeed to pivot and use proxychains to use that for pass the hash.

dav.silvs-b8cb2b84a6 · August 11, 2025, 8:20am

Thank you. It’s done now.

a-mcconnell-001910fe · August 19, 2025, 10:04am

How did you get the second flag :)?

paultalbot9-7d9aa1bb · August 24, 2025, 9:45am

no idea, im stuck on this too

paultalbot9-7d9aa1bb · August 24, 2025, 9:50am

how can i use msfconsole without creds? i cannot find mikes credentials at all, so im not sure what the next step would be?

paultalbot9-7d9aa1bb · August 24, 2025, 9:50am

could you help me with flag 2 please, also 3 and 5!

saadmoizhassan6-1277 · August 25, 2025, 7:35am

if you got flag1 then you should have to use use this creds on server which have database look into database may be you will find something

saadmoizhassan6-1277 · August 25, 2025, 7:39am

as i say look for open ports

paultalbot9-7d9aa1bb · August 25, 2025, 8:21am

ive got 2 open ports, ive used the creds and logged in using them - searched everywhere for mikes credentials to gain access to the other open port, but cannot find anything?

rajas3khar.ch-0890f7 · August 25, 2025, 7:34pm

Not able to login as any user into mssql. It’s showing the error “ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (13)“ on the machine target1. Is this supposed to happen???
any help would be appreciated.

lorenzo.caputo1-41a8 · August 26, 2025, 2:50pm

For flag 5 use the psexec module of msfconsole in order to access to target3, setup the autoroute and the socks_proxy. Then on target3 C:\ you will find a file hash.txt with the hash of the user for the access on target4. Use proxy chains with evil-winrm passing -H . The flag is in the home directory C:\. Let me know if you have other needs. I’m trying to reach flag 2 and 3 now.

lorenzo.caputo1-41a8 · August 26, 2025, 5:52pm

For flag 2 and 3 you have to retrieve the credentials from the mysql db. You can use this command to access and identify the name of the db:

mysql -u john -h 127.0.0.1 -p

show databases;

but user John can’t access the db.

So from the kali machine you can use:

mysqldump -u john -h target1.ine.local -p(john’s password) (db name)

rajas3khar.ch-0890f7 · August 26, 2025, 7:38pm

Thanks I overlooked the file and only focused on hashes in memory. Also, for target 1, I figure out how to connect to mysql service successfully.

lachheb.anas-2e07564 · September 13, 2025, 8:47pm

Hello,
Try to keep it simple
Flag 2 and 3 from database found in target1 (mysql -u root -p -h 127.0.0.1)
Flag4 bruteforce Administrator user
Flag 5 search hash file on target3

Topic		Replies	Views
Black-box Penetration Test 2 - Second Flag Penetration Testing Student (SP) red , ine , lab , cybersec	1	341	April 6, 2022
LAB 3 - Compromising DC problem (moved from wrong tag) Advanced Penetration Testing red , lab , cybersec	4	560	December 22, 2021
Pts lab guide for beginners august 2020 Penetration Testing Student (SP) red , cybersec	12	1468	June 4, 2021
LAB 3 - Compromising DC problem Advanced Web Application Penetration Testing red , lab	0	332	October 11, 2021
Strange behavior on Lab 24 Linux Exploitation Penetration Testing Professional red	1	266	September 8, 2021

Lateral Movement & Pivoting CTF 1 - can only get flag 1!

Related topics