______                                  _               
 |  ____|                       /\       | |              
 | |__ _ __ ___  _ __ ___      /  \   ___| |__   ___  ___ 
 |  __| '__/ _ \| '_ ` _ \    / /\ \ / __| '_ \ / _ \/ __|
 | |  | | | (_) | | | | | |  / ____ \\__ \ | | |  __/\__ \
 |_|  |_|  \___/|_| |_| |_| /_/    \_\___/_| |_|\___||___/
 
H O M E      <-- B A C K 
                                                        
Dancing

> _
    

(A video of the walk through can be found at the end of the article)

Difficulty – Very Easy

Actions:

1. I started with a NMAP scan nmap 10.129.116.32

The NMAP response below showed open SMB port 445:

Results from the NMAP scan:

2. We can see that SMB is open on the server and I will try and list the SMB shares using SMBClient: smbclient -N -L \\\10.129.116.32

Exploitation

(connecting to SMB as anonymous user)

3. I connected to the SMB WorkShares, share anonymously: smbclient \\\\10.129.116.32\\WorkSpaces In this case at the password prompt I just hit enter to connect.

4. I was able to open both directories and list their contents: In Amy.J we found a txt document named worknotes.txt and we were able to download it using get worknotes.txt. In the James.P directory we found the flag.txt file and were able to download the file using get flag.txt.

5. I exited the SMB Client and then ran a cat on the flag.txt file to read the flag.

Tasks

1. What does the 3-letter acronym SMB stand for? Server Message Block

2. What port does SMB use to operate at? 445

3. What is the service name for port 445 that came up in our Nmap scan? microsoft-ds

4. What is the 'flag' or 'switch' that we can use with the smbclient utility to 'list' the available shares on Dancing? -L

5. How many shares are there on Dancing? 4

6. What is the name of the share we are able to access in the end with a blank password? WorkShares

7. What is the command we can use within the SMB shell to download the files we find? get

Video