Tactics

4MB

Tactics_Write_Up.pdf

pdf

Task 1: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?

• The -Pn flag will treat all hosts as online and not ping the Target IP Address.

Task 2: What does the 3-letter acronym SMB stand for?

• Sever Message Block

Task 3: What port does SMB use to operate at?

• 445

Task 4: What command line argument do you give to smbclient to list available shares?

• Input the command smbclient into the terminal to see the list of options and flags:

• -L will list out the shares.

Task 5: What character at the end of a share name indicates it's an administrative share?

• Start by logging into the IP with sbmclient

smbclient -L [Target IP] -U Administrator

• Try logging into the administrator account first as it is the highest privileged account in Microsoft.

• When prompted for a password, just hit enter as it is a passwordless account.

• 
• This will display the shares available.

• At the end of each Share is a "$" symbol.

Task 6: Which Administrative share is accessible on the box that allows users to view the whole file system?

• Generally speaking the C Drive contains all of the system files in a Windows OS.

Task 7: What command can we use to download the files we find on the SMB Share?

• Start by accessing some of the shares. You can do this with the following commands:

smbclient \\\\[Target IP]\\[Share Name] -U Administrator

• You will be prompted for a password depending on the account. In this case, the Administrator account is passwordless so you can just hit enter.

• You can then type in help to see what commands are available.

• 
• In this case, the answer is get. Similar to Linux.

Task 8: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?

• Googling this you can discover that a psexec.py tool is a Python tool part of the IMPACKET Module that allows you to gain a fully interactive shell on a Windows system.

Capture the Flag:

• Switch to the C$ Share for common directories on the system. You can use the same command from above.

• Once in the C$ Share, redirect to the C$\Users\Administrator\Desktop\ directory to find the flag.

• f751c19eda8f61ce81827e6930a1f40c

Alternate Means to the Flag with IMPACKET:

• Start by downloading Impacket to your host machine.

git clone https://github.com/SecureAuthCorp/impacket.git

• cd into the impacket directory

cd impacket

• Setup impacket:

sudo python3 setup.py install

• Check to make sure you have all of the requirements installed:

pip3 install -r requirements.txt

• Check out the options for psexec.py with the following:

psexec.py -h

• psexec.py is located in the /impacket/example/ directory.

• Next is to use the tool to gain an interactive shell with the windows target:

python3 psexec.py username:password@[Target IP]

• Since the Administrator's account is passwordless, we will just use the following:

python3 psexec.py administrator@[Target IP]