Hi everyone, today, I’m going to present an HTB Tactics Walkthrough on Hack The Box. Hack The Box is an online gamified learning platform for Cybersecurity. Tactics is one of the machines in ‘Starting Point’ of Hack The Box.
Enumeration
We are going to use the popular tool Nmap for enumerating the machine.
$ sudo nmap -sC 10.129.102.202 -sV –version-all -vv
-sC for running default scripts.
-sV for doing version detection.
–version-all for getting all the available version information.
-Vv for that extra pinch of verbosity.
We will find that it uses SMB(Server Message Block) by looking at the open ports and the scan results.
That means we need to enumerate SMB-specific shares to find a foothold. To enumerate shares, we do,
$ smbclient – L 10.129.102.202
-L listing shares
So, here we tried to enumerate SMB shares anonymously without a password but it failed because the system is not configured to allow passwordless anonymous access. So we have to think of another way. There may be some misconfiguration in the system. So, let us test for that misconfiguration. One misconfiguration is no password for the Administrator. Let us try this.
$ smbclient -U Administrator -L 10.129.102.202
-U providing username
Foothold
Now that our enumeration is complete, it is time to get a foothold on the system. We can see there are 3 SMB shares: ADMIN$, C$, IPC$. C$ is an important share because it contains all the directories of Windows. We have also seen in enumeration that the Adninistrator account does not require any password which is a grave misconfiguration. Now, we can exploit these facts to gain a foothold in the system.
Login into the share C$ using the Administrator account,
$ smbclient -U Administrator \\\\10.129.102.202\\C$
Voila! We have got access to the system. Upon searching the directories, you will find the flag on the Administrator’s desktop. We will do the get command on the flag to download it to our system. And there you have it! HTB Tactics Walkthrough is pwned!
Author
Shubham
