Tactics
Task 1: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?
The
-Pn
flag will treat all hosts as online and not ping the Target IP Address.
Task 2: What does the 3-letter acronym SMB stand for?
Sever Message Block
Task 3: What port does SMB use to operate at?
445
Task 4: What command line argument do you give to smbclient
to list available shares?
Input the command smbclient into the terminal to see the list of options and flags:

-L
will list out the shares.
Task 5: What character at the end of a share name indicates it's an administrative share?
Start by logging into the IP with
sbmclient
smbclient -L [Target IP] -U Administrator
Try logging into the administrator account first as it is the highest privileged account in Microsoft.
When prompted for a password, just hit enter as it is a passwordless account.
This will display the shares available.
At the end of each Share is a "$" symbol.
Task 6: Which Administrative share is accessible on the box that allows users to view the whole file system?
Generally speaking the C Drive contains all of the system files in a Windows OS.
Task 7: What command can we use to download the files we find on the SMB Share?
Start by accessing some of the shares. You can do this with the following commands:
smbclient \\\\[Target IP]\\[Share Name] -U Administrator
You will be prompted for a password depending on the account. In this case, the Administrator account is passwordless so you can just hit enter.
You can then type in
help
to see what commands are available.In this case, the answer is
get
. Similar to Linux.
Task 8: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?
Googling this you can discover that a psexec.py tool is a Python tool part of the IMPACKET Module that allows you to gain a fully interactive shell on a Windows system.
Capture the Flag:
Switch to the C$ Share for common directories on the system. You can use the same command from above.
Once in the C$ Share, redirect to the C$\Users\Administrator\Desktop\ directory to find the flag.
f751c19eda8f61ce81827e6930a1f40c
Alternate Means to the Flag with IMPACKET:
Start by downloading Impacket to your host machine.
git clone https://github.com/SecureAuthCorp/impacket.git
cd into the impacket directory
cd impacket
Setup impacket:
sudo python3 setup.py install
Check to make sure you have all of the requirements installed:
pip3 install -r requirements.txt
Check out the options for psexec.py with the following:
psexec.py -h
psexec.py is located in the
/impacket/example/
directory.Next is to use the tool to gain an interactive shell with the windows target:
python3 psexec.py username:password@[Target IP]
Since the Administrator's account is passwordless, we will just use the following:
python3 psexec.py administrator@[Target IP]
Last updated