1.还是nmap起手

nmap -T4 -A -v <IP>

SMB（服务器消息块）用于提供对网络上端点之间文件的共享访问。端口 445 通常与 SMB 相关联。网络上启用了 SMB 的存储称为共享。具有服务器地址和访问该共享的凭据的任何人都可以访问该共享。

2.如上图所示开放的端口都是smb端口，我首先联想到的是永恒之蓝(MS_17_010)

3.失败了但是得到了一个提示- Rex::Proto::SMB::Exceptions::LoginError: Login Failed: execution expired

那应该是弱口令了吧……

4.一筹莫展之时想到了smb的一个错误配置

当Security = Share模式时，所有用户都不需要登录认证就可以访问共享资源。

5.使用smbclient 查看共享的文件夹

smbclient -L <ip>

6.尝试匿名连接

smbclient \\\\10.129.1.12\\ADMIN$
smbclient \\\\10.129.1.12\\C$
smbclient \\\\10.129.1.12\\WorkShares

7. 尝试使用windows连接smb_server

8. get flag

9.问题及答案

What does the 3-letter acronym SMB stand for?
->Server Message Block
What port does SMB use to operate at?
->445
What network communication model does SMB use, architecturally speaking?
->Client-Server model
What is the service name for port 445 that came up in our nmap scan?
->microsoft-ds
What is the tool we use to connect to SMB shares from our Linux distribution?
->smbclient
What is the `flag` or `switch` we can use with the SMB tool to `list` the contents of the share?
->-L
What is the name of the share we are able to access in the end?
->WorkShares
What is the command we can use within the SMB shell to download the files we find?
->get
Submit root flag
->5f61c10dffbc77a704d76016a22f1664