Dancing

Tags: #protocols #SMB #reconnaissance #anonymous_access
Level: Starting Point
Date: 2025-05-27
VM IP: 10.129.135.111

Task 1

What does the 3-letter acronym SMB stand for?
Server Message BLock (SMB)

Task 2

What port does SMB use to operate at?
445

Task 3

What is the service name for port 445 that came up in our Nmap scan?
microsoft-ds

Open up a terminal, and go ahead and scan targets.

Use nmap to scan ports on target IP

┌──(macc㉿kaliLab)-[~]
└─$ sudo nmap -sV 10.129.135.111
[sudo] password for macc:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-27 21:05 MDT
Nmap scan report for 10.129.135.111
Host is up (0.83s latency).
Not shown: 996 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.76 seconds

• -s: specify scan type
• V: version detection

Note that the port 445 is open with the service microsoft-ds

Task 4

What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing?
-L

Start writing the smbclient command in your terminal, then write - and hit tab on your keyboard, you should see the list of flags available and a brief explanation on the side

Output:

Completing option
--authentication-file  -A  -- specify file containing username/password
--browse               -B  -- browse SMB servers using DNS
--command              -c  -- specify commands
--configfile           -s  -- specify alternate smb.conf file
--debuglevel           -d  -- set debug level
--debuglevel           -d  -- specify debug level
--directory            -D  -- specify initial directory
--encrypt              -e  -- encrypt SMB transport
--grepable             -g  -- produce grepable output
--help                 -?  -- display usage information
--ip-address           -I  -- specify IP address of server
--kerberos             -k  -- use kerberos (active directory) authentication
--list                 -L  -- list services on server
--log-basename         -l  -- specify base name for log files
--machine-pass         -P  -- use stored machine account password
--max-protocol         -m  -- set the max protocol level
--message              -M  -- send message
--name-resolve         -R  -- specify name resolution order
--netbiosname          -n  -- specify local NetBIOS name
--no-pass              -N  -- suppress password prompt
--option                   -- set smb.conf option from command line
--port                 -p  -- specify tcp port
--pw-nt-hash               -- the supplied password is the NT hash
--quiet                -q  -- suppress help message
--scope                -i  -- specify NetBIOS scope
--send-buffer          -b  -- change transmit/send buffer
--signing              -S  -- set the client signing state
--socket-options       -O  -- specify socket options
--stderr               -E  -- output messages to stderr
--tar                  -T  -- specify tar options
--timeout              -t  -- change the per-operation timeout
--usage                    -- display brief usage information
--use-ccache           -C  -- use the winbind ccache for authentication
--user                 -U  -- specify username
--version              -V  -- display version information
--workgroup            -W  -- specify workgroup

flag: -L

Task 5

How many shares are there on Dancing?

┌──(macc㉿kaliLab)-[~]
└─$ smbclient -L 10.129.153.89
Password for [WORKGROUP\macc]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.153.89 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

flag: 4

Task 6

What is the name of the share we are able to access in the end with a blank password?

Connecting to a Specific Share

• Connect interactively to a share, prompting for password:

smbclient //<hostname_or_IP>/<share_name> -U <username>

Example:

smbclient //10.129.153.89/WorkShares -U macc
Password for [WORKGROUP\macc]:
Try "help" to get a list of possible commands.
smb: \>

flag: WorkShares

Task 7

What is the command we can use within the SMB shell to download the files we find?

smb: \> get Amy.J
NT_STATUS_FILE_IS_A_DIRECTORY opening remote file \Amy.J
smb: \>

flag: get

Task 8

Submit root flag

List directories while in the smb share:

smb: \> ls
  .                                   D        0  Mon Mar 29 02:22:01 2021
  ..                                  D        0  Mon Mar 29 02:22:01 2021
  Amy.J                               D        0  Mon Mar 29 03:08:24 2021
  James.P                             D        0  Thu Jun  3 02:38:03 2021

                5114111 blocks of size 4096. 1733842 blocks available

cd into to the 'James.P' Directory and list files

smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 02:38:03 2021
  ..                                  D        0  Thu Jun  3 02:38:03 2021
  flag.txt                            A       32  Mon Mar 29 03:26:57 2021

                5114111 blocks of size 4096. 1733681 blocks available

Take a look at the contents of the file using the more command

smb: \James.P\> more flag.txt
291dbgfdb731bdsbad90141-2ydbas0-13

flag: 291dbgfdb731bdsbad90141-2ydbas0-13