Dancing

Enumeration

As usual let's start with nmap:

nmap -sV IP

Replace IP by the IP of the target machine (Dancing)

Let's list the shares available on the server using:

smbclient -L 10.129.1.12

-L is used to list all the shares available

We do not know the password. Let's try our luck and just press enter

We can see 4 shares available!

Foothold

Let's try to connect to the first share called ADMIN$ using:

smbclient \\\\10.129.1.12\\ADMIN$S

Since we don't know the password, when prompted for a password, let's try our luck and just press enter

Ok it didn't work, access is Denied

Let's move on to the share C$

smbclient \\\\10.129.1.12\\C$

Access is denied.

Let's move on to the share Workshares

smbclient \\\\10.129.1.12\\WorkShares

When prompted for the password, just press enter

We got in! Looks like this was misconfigured, allowing us to login without credentials!

Let's list the files in the current directory using:

ls

There are 2 folders. One called Amy.J and one called James.P

Let's first check the folder Amy.J using the change directory command cd:

cd Amy.J

ls

There is a file called worknotes.txt

Let's download this file onto our VM using the get command:

get worknotes.txt

Now go to your home directory on your VM and the file worknotes.txt should be there

Open the file worknotes.txt

Ok that's not super helpful. Let's keep looking.

Let's get out of Amy.J directory by typing:

cd ..

Now list the files in this directory again using:

ls

Now let's check James.P directory:

cd James.P

ls

That's more interesting! There is a file called flag.txt

Let's download this file onto our VM using the get command:

get flag.txt

Now open your home directory on your VM and the file flag.txt should be there:

Open flag.txt

Congratulations! You got the flag!