Dancing (Tier 0)
Description
Tier -> 0
Difficult -> Very Easy
OS -> Windows
Tags -> Protocols / SMB / Reconnaissance / Anonymous-Guest Access
Write-up
With a little research, I started answering the first questions
Answer: Server Message Block
Answer: 445
Then I did an initial port scan using Nmap
nmap -p- -Pn --min-rate 2000 10.129.76.14
With this and a little research, I answered the next questions
Answer: microsoft-ds
Answer: -L
After this, I did an exhaustive scan to get information on the services running on the open ports
nmap -p135,139,445,5985,47001,49664,49665,49666,49667,49668,49669 -sVC 10.129.76.14
I focused on port 445 which by default is used for the SMB protocol. I tried connecting using the sbmclient tool to access the service to list the contents being shared. When asked for a password, I left it blank, and fortunately, I got the list of shares from the target machine
smbclient -L 10.129.76.14 
To learn more about the SMB protocol you can go here
With this, I answered the next question
Answer: 4
After this, I tried accessing the shared folders and when doing it with the one named WorkShares, I gained access without being asked for a password
smbclient //10.129.76.14/WorkShares
With this and a little research, I answered the next questions
Answer: WorkShares
Answer: get
Then I listed the content of the shared folder where I found some folders that seemed to belong to users of the target system. So I explored them, and when reaching the James.P directory, I listed its content and found a flag.txt file
Knowing this, I used the internal
getcommand to download the file from the SMB server and then I closed the connection. Finally, I checked the content of the file, retrieving from it the root flag
With this, I got the root flag and pwned the machine
Answer: 5f61c10dffbc77a704d76016a22f1664
Last updated