SMB Unlocked: How I Hacked into SMB Shares and Retrieved the Flag

SMB (Server Message Block) is a widely used network file-sharing protocol that allows systems to share files, printers, and other network resources. In penetration testing, SMB shares are often targeted to enumerate sensitive data and exploit weaknesses in the system.

In this blog post, I'll walk you through the process of accessing SMB shares, exploiting vulnerabilities, and extracting the flag hidden inside a flag.txt file. This was the objective in a recent challenge I completed on Hack The Box (HTB).

---

Objective

The task was to:

1. Identify and enumerate the SMB shares on the target system.

2. Authenticate as the bob user.

3. Access the flag by navigating to the flag directory and retrieving the flag.txt file.

Let's break down the steps to achieve this.

---

Step-by-Step Process

Step 1: Scan for SMB Shares on the Target Host

The first step is to identify the available SMB shares on the target system. For this, we use the nmap command with the smb-enum-shares script. This script enumerates SMB shares that are publicly available on the network.

nmap --script smb-enum-shares <IP-ADDRESS>

• This command runs an Nmap scan and identifies the SMB shares on the target IP.

• The result will give you information about open ports, including the SMB service running on port 445.

Snapshot of the result:

---

Step 2: Connect to the SMB Share as the Bob User

Next, we use the smbclient command to connect to the users SMB share. Although we did not specify a port number, smbclient automatically uses port 445 (the standard SMB port) if no other port is given.

smbclient -U bob \\\\<IP-ADDRESS>\\users

• The smbclient command is used to access the SMB share, and here we authenticate as the bob user.

• Port 445 is used by default for SMB communication.

Snapshot of the result:

---

Step 3: List the Directories in the SMB Share

Once connected, we list the directories available in the share. This helps us locate the flag directory, which holds the file we need.

smb: \> ls

• This command lists the files and directories in the users share. We can then spot the flag directory.

Snapshot of the result:

---

Step 4: Navigate to the Flag Directory

Now, we change the current directory to the flag directory and list its contents to locate the flag.txt file.

smb: \> cd flag
smb: \flag\> ls

• The first command changes the directory to flag.

• The second command lists the contents inside the flag directory, which reveals the flag.txt file.

Snapshot of the result:

---

Step 5: Download the Flag.txt File

Finally, we use the get command to download the flag.txt file from the SMB share.

smb: \flag\> get flag.txt

• This command downloads the flag.txt file from the share to the local system, completing the task.

Snapshot of the result:

---

Final Outcome

The flag.txt file was successfully downloaded and stored in the local folder. Here’s a snapshot of the result:

Snapshot of the flag in local folder:

---

Conclusion

In this post, we've successfully exploited the SMB shares on a target system, authenticated as the bob user, and retrieved the flag hidden inside the flag.txt file. This challenge helped me practice SMB enumeration and authentication techniques, which are crucial skills in penetration testing.

If you'd like to see a brief markdown version of this challenge and my step-by-step process, feel free to check it out on my Github profile.

Stay tuned for more detailed technical write-ups and challenges!