TryHackMe Network Services Walkthrough SMB Part 1/3

Table of Contents

Task 1 Get Connected

Questions

  • Ready? Let’s get going! – No answer needed, carry on.

Free Checklist: Hacker's Learning Path

Offline checklist to track your learning path, become a great hacker and stay on task.

Task 2 Understanding SMB

  • What does SMB stand for? – Server Message Block
  • What type of protocol is SMB? – response-request
  • What do clients connect to servers using? – TCP/IP
  • What systems does Samba run on? – Unix

Task 3 Enumerating SMB

Run nmap scan.

https://i0.wp.com/p146.p4.n0.cdn.getcloudapp.com/items/4guKxEr8/495d025a-7b15-4222-a6e3-262081ec8fde.jpeg?w=800&ssl=1

Run enum4linux scan.

https://i0.wp.com/p146.p4.n0.cdn.getcloudapp.com/items/04uEgZ65/94fdb523-85de-4da8-9826-ee0c0ea16a59.jpeg?w=800&ssl=1

Questions:

  • Conduct an nmap scan of your choosing, How many ports are open? – 3
  • What ports is SMB running on? – 139/445
  • Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? – WORKGROUP
  • What comes up as the name of the machine? – POLOSMB
  • What operating system version is running? – 6.1
  • What share sticks out as something we might want to investigate? – profiles

Task 4 Exploiting SMB

Connect using smbclient:

https://i0.wp.com/p146.p4.n0.cdn.getcloudapp.com/items/nOuRmOLm/20eec8de-89e3-46f2-80dc-3b6d27a502dd.jpeg?w=800&ssl=1

Use the more command, don’t forget the quotations!

https://i0.wp.com/p146.p4.n0.cdn.getcloudapp.com/items/lluE4lXW/070fe98c-60c8-4ad7-8bef-7a67e5216491.jpeg?w=800&ssl=1

Use get to copy the id_rsa file from the server to your machine:

https://i0.wp.com/p146.p4.n0.cdn.getcloudapp.com/items/4guKxERj/9a8b619c-e617-48f4-a2c5-8036f4685d7e.jpeg?w=800&ssl=1

Questions:

  • What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port? – smbclient //10.10.10.2/secret -U suit -p 445
  • Great! Now you’ve got a hang of the syntax, let’s have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability. – No answer needed.
  • Does the share allow anonymous access? Y/N? – Y
  • Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to? – John Cactus
  • What service has been configured to allow him to work from home? – ssh
  • Okay! Now we know this, what directory on the share should we look in? – .ssh
  • This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us? – id_rsa
  • What is the smb.txt flag? – THM{***********}

This is Day 40 of #100DaysOfHacking, subscribe to my newsletter to see the CyberSec journey! If you like, follow the Learning Path for yourself, happy hacking.

About The Author
Ashley Ball

Ashley Ball

“Learn, create, share, repeat.” • IT teacher, former web designer, learning CyberSec • Road to #100DaysOfHacking on Hackers Learning Path.
Share This Article
Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on facebook
Facebook
Share on whatsapp
WhatsApp
Share on email
Email

Monthly Newsletter

Learn about cyber security, hacking guides & python programming.

Leave A Comment

Leave a Reply

Your email address will not be published.

More Content

Monthly Newsletter

Learn about cyber security, hacking guides & python programming.

This site uses cookies and other tracking technologies to assist with navigation, monitor site usage and web traffic, assist with our promotional and marketing efforts, and customize and improve our services, as set out in our privacy policy