Tactics

4MB
Tactics_Write_Up.pdf
pdf

Task 1: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?

  • The -Pn flag will treat all hosts as online and not ping the Target IP Address.

Task 2: What does the 3-letter acronym SMB stand for?

  • Sever Message Block

Task 3: What port does SMB use to operate at?

  • 445

Task 4: What command line argument do you give to smbclient to list available shares?

  • Input the command smbclient into the terminal to see the list of options and flags:

  • -L will list out the shares.

Task 5: What character at the end of a share name indicates it's an administrative share?

  • Start by logging into the IP with sbmclient

smbclient -L [Target IP] -U Administrator

  • Try logging into the administrator account first as it is the highest privileged account in Microsoft.

  • When prompted for a password, just hit enter as it is a passwordless account.

  • This will display the shares available.

  • At the end of each Share is a "$" symbol.

Task 6: Which Administrative share is accessible on the box that allows users to view the whole file system?

  • Generally speaking the C Drive contains all of the system files in a Windows OS.

Task 7: What command can we use to download the files we find on the SMB Share?

  • Start by accessing some of the shares. You can do this with the following commands:

smbclient \\\\[Target IP]\\[Share Name] -U Administrator

  • You will be prompted for a password depending on the account. In this case, the Administrator account is passwordless so you can just hit enter.

  • You can then type in help to see what commands are available.

  • In this case, the answer is get. Similar to Linux.

Task 8: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?

  • Googling this you can discover that a psexec.py tool is a Python tool part of the IMPACKET Module that allows you to gain a fully interactive shell on a Windows system.

Capture the Flag:

  • Switch to the C$ Share for common directories on the system. You can use the same command from above.

  • Once in the C$ Share, redirect to the C$\Users\Administrator\Desktop\ directory to find the flag.

  • f751c19eda8f61ce81827e6930a1f40c

Alternate Means to the Flag with IMPACKET:

  • Start by downloading Impacket to your host machine.

git clone https://github.com/SecureAuthCorp/impacket.git

  • cd into the impacket directory

cd impacket

  • Setup impacket:

sudo python3 setup.py install

  • Check to make sure you have all of the requirements installed:

pip3 install -r requirements.txt

  • Check out the options for psexec.py with the following:

psexec.py -h

  • psexec.py is located in the /impacket/example/ directory.

  • Next is to use the tool to gain an interactive shell with the windows target:

python3 psexec.py username:password@[Target IP]

  • Since the Administrator's account is passwordless, we will just use the following:

python3 psexec.py administrator@[Target IP]

PreviousPennyworthNextTier 2 Machines

Last updated