Tactics (Tier 1)
Description
Tier -> 1
Difficult -> Very Easy
OS -> Windows
Tags -> Protocols / SMB / Reconnaissance / Misconfiguration
Write-up
With a little research, I started answering the first questions

Answer: -Pn

Answer: Server Message Block

Answer: 445

Answer: -L

Answer: $
Then I did an initial scan using Nmap
nmap 10.129.52.162 -p- -Pn --min-rate 2500 -oN scan.txt

I also did an exhaustive scan to get more information about the services running on the open ports
nmap 10.129.52.162 -p135,139,445 -sVC -oN serv_scan.txt

I found the SMB protocol running on port 445, so I tried to interact with it. For that, I used the smbclient utility specifying that I just wanted to list the contents and try to do it as the Administrator user, as I knew that was a Windows system. I also entered a blank password as I didn't know any credentials, and the execution was successful
smbclient -L 10.129.52.162 -U Administrator

To learn more about the SMB protocol, you can go here
With this, I could try to access the folders on the server and check their content. I started looking into the C$ direction as it is typically the main route for the Windows filesystem, once again, as the Administrator user
smbclient //10.129.52.162/C$ -U Administrator

With this, I answered the next questions

Answer: C$

Answer: get

Answer: psexec.py
Once inside, I listed the contents of the folder, and as expected, I saw the folders related to the Windows filesystem, so knowing this, I went to the Users folder and listed all of its content too

There was a folder for the Administrator user, so I tried accessing it and then going to the Desktop to check. I listed the contents and found a flag.txt file, so I downloaded it from the server and then closed the connection

Finally, I checked the content of the file and found the flag

With this, I got the root flag and pwned the machine

Answer: f751c19eda8f61ce81827e6930a1f40c
Last updated