Enumeration
As usual let's start with nmap:
nmap -sV IP
Replace IP by the IP of the target machine (Dancing)
Note: The IP of our target machine will change all the time, make sure your replace IP in the command below by the target machine's IP. You can find the target's IP directly from your hack the box account.
SMB (Server Message Block) is used to provide shared access to files between endpoints on a network. Port 445 is usually associated with SMB. A SMB-enabled storage on a network is called a share. The share can be accessed by anyone with the address of the server and the credentials to access it.
Let's list the shares available on the server using:
smbclient -L 10.129.1.12
-L is used to list all the shares available
SMB authentication always require a username. If you don't specify one, it will use your VM username as default.
We do not know the password. Let's try our luck and just press enter
We can see 4 shares available!
Foothold
Let's try to connect to the first share called ADMIN$ using:
smbclient \\\\10.129.1.12\\ADMIN$S
Since we don't know the password, when prompted for a password, let's try our luck and just press enter
Ok it didn't work, access is Denied
Let's move on to the share C$
smbclient \\\\10.129.1.12\\C$
Access is denied.
Let's move on to the share Workshares
smbclient \\\\10.129.1.12\\WorkShares
When prompted for the password, just press enter
We got in! Looks like this was misconfigured, allowing us to login without credentials!
Let's list the files in the current directory using:
ls
There are 2 folders. One called Amy.J and one called James.P
Let's first check the folder Amy.J using the change directory command cd:
cd Amy.J
ls
There is a file called worknotes.txt
Let's download this file onto our VM using the get command:
get worknotes.txt
Now go to your home directory on your VM and the file worknotes.txt should be there
Open the file worknotes.txt
Ok that's not super helpful. Let's keep looking.
Let's get out of Amy.J directory by typing:
cd ..
Now list the files in this directory again using:
ls
Now let's check James.P directory:
cd James.P
ls
That's more interesting! There is a file called flag.txt
Let's download this file onto our VM using the get command:
get flag.txt
Now open your home directory on your VM and the file flag.txt should be there:
Open flag.txt
Congratulations! You got the flag!
コメント