Introduction
This box is a basic introduction to SMBs (Server Message Block). In order to obtain the flag, we simply need to find an available share that we can connect to without a password. From there, we can download the file containing the flag. We use a few basic commands such as: nmap, ping, smbclient, ls, cat, cd, and get.
Enumeration
To start off, we are going to ping (ICMP Echo request) the target to check whether it is alive or not:
Since we are getting a response back, the target is indeed alive.
Next, we are going to enumerate the ports on the target machine to see what services are available. We can achieve this using nmap (network mapper). I will also be using the -sV flag to check the services' respective version information:
We can see that on port 445 there is a service named microsoft-ds. Upon a quick Google search, we can see that this is an SMB (Server Message Block).
SMB (Server Message Block)
We can attempt to access this smb server using the smbclient command. Before we try and establish a connection to a share on the smb server, we are going to list what available shares exist. We can accomplish this by using the smbclient command with the -L flag to list available shares:
We can see four listed shares. We can try to access a share using the smbclient command with format: smbclient //targetIP/sharename.
Upon trying to access each share, we see that the only share accessible without entering a password is the WorkShares share:
Using the ls command, we can list directories and files while connected to the smb:
Upon changing directories using cd, we can spot the flag.txt* file located in the directory named James.P.
In order to download the file to our computer, we can use the get command:
After downloading the file successfully to our computer, we can simply cat the file to see the contents of flag.txt!
We have captured the flag!
Various Questions:
What does the 3-letter acronym SMB stand for?
Server Message Block
What port does SMB use to operate at?
445
What is the service name for port 445 that came up in our Nmap scan?
microsoft-ds
What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing?
-L
How many shares are there on Dancing?
4
What is the name of the share we are able to access in the end with a blank password?
WorkShares
What is the command we can use within the SMB shell to download the files we find?
get
Submit root flag
Try it yourself :)
Top comments (0)