Tactics (Tier 1)

Description

  • Tier -> 1

  • Difficult -> Very Easy

  • OS -> Windows

  • Tags -> Protocols / SMB / Reconnaissance / Misconfiguration

Write-up

  • With a little research, I started answering the first questions

Answer: -Pn


Answer: Server Message Block


Answer: 445


Answer: -L


Answer: $


  • Then I did an initial scan using Nmap

nmap 10.129.52.162 -p- -Pn --min-rate 2500 -oN scan.txt

  • I also did an exhaustive scan to get more information about the services running on the open ports

nmap 10.129.52.162 -p135,139,445 -sVC -oN serv_scan.txt

  • I found the SMB protocol running on port 445, so I tried to interact with it. For that, I used the smbclient utility specifying that I just wanted to list the contents and try to do it as the Administrator user, as I knew that was a Windows system. I also entered a blank password as I didn't know any credentials, and the execution was successful

smbclient -L 10.129.52.162 -U Administrator 

  • With this, I could try to access the folders on the server and check their content. I started looking into the C$ direction as it is typically the main route for the Windows filesystem, once again, as the Administrator user

smbclient //10.129.52.162/C$ -U Administrator

  • With this, I answered the next questions

Answer: C$


Answer: get


Answer: psexec.py


  • Once inside, I listed the contents of the folder, and as expected, I saw the folders related to the Windows filesystem, so knowing this, I went to the Users folder and listed all of its content too


  • There was a folder for the Administrator user, so I tried accessing it and then going to the Desktop to check. I listed the contents and found a flag.txt file, so I downloaded it from the server and then closed the connection


  • Finally, I checked the content of the file and found the flag


  • With this, I got the root flag and pwned the machine

Answer: f751c19eda8f61ce81827e6930a1f40c

Last updated