TryHackMe: Exploiting SMB

March 9, 2021 2 minute read

This is a write up for the Exploiting SMB task of the Network Services room on TryHackMe. Some tasks have been omitted as they do not require an answer.

Combining the example and the parameters provided, we produce the following command:

Answer:

smbclient //10.10.10.2/secret -U suit -p 445

Enter the following command to attempt a connection via smb to the share discovered in the enumeration phase. We also enter a blank password for the ‘Anonymous’ user by pressing enter.

We are then logged in as the ‘Anonymous’ user.

Answer: Y

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

Lets list out the files in the current directory by typing ls

The “Working From Home Information.txt” looks pretty interesting, so lets download that file.

get "Working From Home Information.txt"

Type “exit’ to terminate the smb session.

Now lets print out the information contained in the downloaded text file.

cat "Working From Home Information.txt"

This reveals the name of an individual that the profile folder belongs to.

Answer: John Cactus

What service has been configured to allow him to work from home?

The acquired text file also provides the information on the service which allows him to work from home.

Answer: ssh

Lets reconnect to the SMB share and look inside the .ssh folder.

Answer: .ssh

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

The id_rsa file is most useful to us as it contains the user’s private key. We should also get the id_rsa.pub file as it contains the public key. Lets download the files to our local machine.

get id_rsa
get id_rsa.pub

What is the smb.txt flag?

Exit the smb session again and update the permissions on the id_rsa file. 600 will give the user full read/write access to the file.

chmod 600 id_rsa

To log in as John Cactus, we need to know their username. This will be contained in the public key file.

cat id_rsa.pub

The username is cactus, now we can try to ssh to the server as that user.

ssh -i id_rsa cactus@<ip>

Success! Lets look for and print our flag.

Answer: THM{smb_is_fun_eh?}

Recap

In this task we learnt how to:

Connect as an Anonymous user to an smbclient
User another user’s private key to establish an ssh session

Andrew Dickinson

What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port?

Does the share allow anonymous access? Y/N?

Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to?

What service has been configured to allow him to work from home?

Okay! Now we know this, what directory on the share should we look in?

This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?

What is the smb.txt flag?

Recap