As always I scanned ports with nmap with some magical nmap parameters and nmap result showed me that machine had some standard Windows ports open + 80 http port was open. Then I opened the http port on my browser, it had XMPP server index page. I visited some pages on index and found phpinfo page. The machine was Windows 7 Professional Edition Service Pack 1 so I thought the magical eternalblue exploit should work. After exploiting with eternalblue I had the NT SYSTEM role on the Algeria machine then I directly went to Administrator/Desktop directory to read root.txt but it said something like “nope, flag not here”. This was the real trick but I’ve seen a question like this before so it wasn’t so hard for me to read the flag from root.txt. I could read the flag with basic
Starting with nmap scan
(Screenshot from my team member miador)
It had some Windows ports open, when I saw the http port open then I visited it on my browser. A XMPP server page welcomed me(I forgot to take a screenshot of it).
Browsing on the XMPP page
While I was browsing on the XMPP page I saw the phpinfo page. This page said that Algeria machine was Windows 7 Professional Edition Service Pack 1. Every time I see the Windows 7 operating system, I start thinking about eternalblue exploit.
Continuing with metasploit framework
After that I ran the msfconsole and used this module
exploit/windows/smb/ms17_010_eternalblue to Algeria machine.
B00M “meterpreter session 1 opened”
And I had the role of NT SYSTEM because of the eternalblue.
Searching for root.txt
I found root.txt in the Administrator’s Desktop folder but it said “The problem is not the root, it’s the branches!”.
After this message I executed
dir /R command to see if any detail was there.
Ta daa I saw the branches mentioned in root.txt file, and there was about 800 hundred branches.
Capturing the FLAG
I’ve seen this kind of questions before therefore I executed
more <root.tx:Branch_99 command to see if it was working and it worked.
I couldn’t use the command to manual check for the flag therefore I wrote a small Windows Shell script.
for /l %%x in (1, 1, 1000) do ( more <root.txt:Branch_%%x )
This script executed the
more command 1000 times for me. But since I was at the terminal screen I couldn’t see the flag with my eyes because there was almost no difference between the 1000 lines of code in my terminal.
Therefore I directed the output of my script to a file called
buldum.txt(I don’t know why I named it like that). After that I downloaded the buldum.txt file to my computer and deleted similar text by using gedit.
And the flag:
My eternalblue-scanner script had automatically taken the screenshot of Algeria machine :)