Hackthebox靶机Dancing详细攻略

目标:Dancing

题目难度:very easy

作者使用Kali Linux作为渗透测试平台,在Kali Linux上首先通过openvpn建立与Hackthebox网站的VPN连接:

 

# openvpn starting_point_XXXXX.ovpn

 

然后在Hackthebox网站中启动(SPAWN)Dancing 实例,得到目标的IP地址,如下图所示:

 

接下来是在Hackthebox网站上答题,这里大部分题并不涉及扫描以及渗透,是一些比较基础的知识:

Task 1: What does the 3-letter acronym SMB stand for?

答案:Server Message Block

Task 2:What port does SMB use to operate at?

思路:用nmap扫描一下目标,即可得到端口号。

答案:445

Task 3: What network communication model does SMB use, architecturally speaking?

答案:client-server model

Task 4: What is the service name for port 445 that came up in our nmap scan?

思路:用nmap -sV扫描一下目标即可得到答案。 

#nmap -sV 10.129.1.12
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 03:07 EDT
Nmap scan report for 10.129.204.213
Host is up (0.21s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.83 seconds

  答案: microsoft-ds

Task 5: What is the tool we use to connect to SMB shares from our Linux distribution?

答案:smbclient (在Windows操作系统之间,可以通过网上邻居或UNC路径的方式,访问某个共享,在Linux下,可以通过smbclient命令来实现相似的功能,访问Windows的某个共享目录。

Task 6: What is the `flag` or `switch` we can use with the SMB tool to `list` the contents of the share?

   答案: -L

Task 7: What is the name of the share we are able to access in the end?

   思路:

# smbclient -L 10.129.1.12                                                                                                                          
Enter WORKGROUP\root's password:  (空密码)

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk

  答案:WorkShares

 

Task 8: What is the command we can use within the SMB shell to download the files we find?

思路:

接下来利用smbclient工具尝试访问目标(显然是windows操作系统),从前面的列举,可以直接访问上述共享目录,但是这里需要注意的是,需要多个\进行转义,密码为空,然后就进入目录,在每个目录用ls查看一下,发现是在James这个目录中有flag,然后用get命令下载到本地。成功~~~

 

# smbclient //10.129.1.12/Workshares
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Mar 29 04:22:01 2021
  ..                                  D        0  Mon Mar 29 04:22:01 2021
  Amy.J                               D        0  Mon Mar 29 05:08:24 2021
  James.P                             D        0  Thu Jun  3 04:38:03 2021
cd
                5114111 blocks of size 4096. 1753923 blocks available
smb: \> cd James.P
smb: \James.P\> dir
  .                                   D        0  Thu Jun  3 04:38:03 2021
  ..                                  D        0  Thu Jun  3 04:38:03 2021
  flag.txt                            A       32  Mon Mar 29 05:26:57 2021
c
                5114111 blocks of size 4096. 1753923 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\> quit

┌──(root💀kali)-[~]
└─# cat flag.txt
5f61c10dffbc77a704d76016a22f1664

 

posted @ 2022-03-23 19:20  Jason_huawen  阅读(1100)  评论(0编辑  收藏  举报