Dancing (Tier 0)

Description

  • Tier -> 0

  • Difficult -> Very Easy

  • OS -> Windows

  • Tags -> Protocols / SMB / Reconnaissance / Anonymous-Guest Access

https://app.hackthebox.com/starting-point?tier=0

Write-up

  • With a little research, I started answering the first questions

Answer: Server Message Block

Answer: 445

  • Then I did an initial port scan using Nmap

  • With this and a little research, I answered the next questions

Answer: microsoft-ds

Answer: -L

  • After this, I did an exhaustive scan to get information on the services running on the open ports

  • I focused on port 445, which by default is used for the SMB protocol. I tried connecting using the sbmclient tool to access the service to list the contents being shared. When asked for a password, I left it blank, and fortunately, I got the list of shares from the target machine

To learn more about the SMB protocol, you can go here

  • With this, I answered the next question

Answer: 4

  • After this, I tried accessing the shared folders, and when doing it with the one named WorkShares, I gained access without being asked for a password

  • With this and a little research, I answered the next questions

Answer: WorkShares

Answer: get

  • Then I listed the content of the shared folder, where I found some folders that seemed to belong to users of the target system. So I explored them, and when reaching the James.P directory, I listed its content and found a flag.txt file

  • Knowing this, I used the internal get command to download the file from the SMB server, and then I closed the connection. Finally, I checked the content of the file, retrieving from it the root flag

  • With this, I got the root flag and pwned the machine

Answer: 5f61c10dffbc77a704d76016a22f1664

PreviousFawn (Tier 0)NextRedeemer (Tier 0)

Last updated