1 : The fun begins!
Command Used: powershell "Get-ChildItem -Path C:\\ -Filter flag.txt -Recurse" after getting admin shell.
Location : Directory: C:\DotNetNuke\flag.txt
Flag: Cyb3rN3t1C5{De$3R!al!z@ti0n}
2 : We first learn to crawl before walking
Echoed the flag.txt after getting the initial shell on M3SQLW.
Location: C:\Users\svc_sql\Desktop
Flag: Cyb3rN3t1C5{Sql$erv3rL!nkCr@wl}
3. Those damn webapps!
After getting into M3WEBAW
Location: PS C:\ActiveMQ\conf> cat jetty-realm.properties
Flag: Cyb3rN3t1C5{CR3d$_!n_fil3s}
4. You can’t constrain me!
After getting into M3DC.
Location : C:\Users\Administrator\Desktop
Flag: Cyb3rN3t1C5{C0n$tr@!n3d!}
5. Welcome to Cybernetics
After getting in corewebdl 10.9.15.11 using Drupalgeddon2
Location : /var/www/html
Flag: Cyb3rN3t1C5{W3lC0m3_2_Cyb3rn3t!cs}
6. The art of writing descriptions
Using adtool on corewebdl and enumerating all users with their description
Location : User Descriptions from Corewebdl
Flag: Cyb3rN3t1C5{Cr3d$_!n_De$cr!pti0ns}
7. Fisherman’s Training
Got it while enumerating the scheduled tasks
Location: OpenEmail file. (Look at the notes for exact path finding)
Flag: Cyb3rN3t1C5{Y0u_C@nt_Ph!$h_M3}
8. Secure credential storage
Devops share
Location: cyber.local/robert.ortiz:to7oxaith2Vie9@10.9.10.14
Flag: Cyb3rN3t1C5{D3vOP$_S3cure_Cr3d$}
9. Signature required upon delivery
After the priv esc of corewkt001
Location: C:\Users\Adminisitrator\flag.txt
Flag: Cyb3rN3t1C5{D3vOP$_C0d3_S!gning}