TryHackMe Network Services Walkthrough SMB Part 1/3

[read_meter]

Table of Contents

Task 1 Get Connected

Questions

  • Ready? Let’s get going! – No answer needed, carry on.

Free Checklist: Hacker's Learning Path

Offline checklist to track your learning path, become a great hacker and stay on task.

Task 2 Understanding SMB

  • What does SMB stand for? – Server Message Block
  • What type of protocol is SMB? – response-request
  • What do clients connect to servers using? – TCP/IP
  • What systems does Samba run on? – Unix

Task 3 Enumerating SMB

Run nmap scan.

https://p146.p4.n0.cdn.getcloudapp.com/items/4guKxEr8/495d025a-7b15-4222-a6e3-262081ec8fde.jpeg?v=bb76d881e7362c340426d2e881165c95

Run enum4linux scan.

https://p146.p4.n0.cdn.getcloudapp.com/items/04uEgZ65/94fdb523-85de-4da8-9826-ee0c0ea16a59.jpeg?v=4b3296ecd8899cd8c492ce3c7b780b86

Questions:

  • Conduct an nmap scan of your choosing, How many ports are open? – 3
  • What ports is SMB running on? – 139/445
  • Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name? – WORKGROUP
  • What comes up as the name of the machine? – POLOSMB
  • What operating system version is running? – 6.1
  • What share sticks out as something we might want to investigate? – profiles

Task 4 Exploiting SMB

Connect using smbclient:

https://p146.p4.n0.cdn.getcloudapp.com/items/nOuRmOLm/20eec8de-89e3-46f2-80dc-3b6d27a502dd.jpeg?v=c5caa032c750d46dee0f6cfce1bf3eef

Use the more command, don’t forget the quotations!

https://p146.p4.n0.cdn.getcloudapp.com/items/lluE4lXW/070fe98c-60c8-4ad7-8bef-7a67e5216491.jpeg?v=9f8f1ed689e003f3350774456a5015a0

Use get to copy the id_rsa file from the server to your machine:

https://p146.p4.n0.cdn.getcloudapp.com/items/4guKxERj/9a8b619c-e617-48f4-a2c5-8036f4685d7e.jpeg?v=852578264d21f58d80460ee97014e6ed

Questions:

  • What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port? – smbclient //10.10.10.2/secret -U suit -p 445
  • Great! Now you’ve got a hang of the syntax, let’s have a go at trying to exploit this vulnerability. You have a list of users, the name of the share (smb) and a suspected vulnerability. – No answer needed.
  • Does the share allow anonymous access? Y/N? – Y
  • Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to? – John Cactus
  • What service has been configured to allow him to work from home? – ssh
  • Okay! Now we know this, what directory on the share should we look in? – .ssh
  • This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us? – id_rsa
  • What is the smb.txt flag? – THM{***********}

This is Day 40 of #100DaysOfHacking, subscribe to my newsletter to see the CyberSec journey! If you like, follow the Learning Path for yourself, happy hacking.

About The Author
Mr Ash

Mr Ash

“Learn, create, share, repeat.” • IT teacher, former web designer, learning CyberSec • Road to #100DaysOfHacking on Hackers Learning Path.
Share This Article
LinkedIn
Twitter
Facebook
WhatsApp
Email

Monthly Newsletter

Learn about cyber security, hacking guides & python programming.

Leave A Comment

Leave a Reply

Your email address will not be published.

More Content

Monthly Newsletter

Learn about cyber security, hacking guides & python programming.

This site uses cookies and other tracking technologies to assist with navigation, monitor site usage and web traffic, assist with our promotional and marketing efforts, and customize and improve our services, as set out in our privacy policy