THM - Advent of Cyber 2022 - Day 4¶
Difficulty: 
Challenge Link
OS: Linux
Q: What is the name of the HTTP server running on the remote host?
I like to start all my boxes off with the export command making a variable of the ip so I dont have to keep retyping.
export ip={ACTUAL_IP}
Followed this with an NMAP scan. If this doesnt come back fast I'll just do a basic nmap scan to at least get something.
└─$ sudo nmap -sV -sC -O -T4 -n -Pn -oA advent $ip
Due to passing the -Sv flag we were able to quickly identify the http server running.
Answer
Apache
Q: What is the name of the service running on port 22 on the QA server?
If you ran a basic nmap scan unlike above it would list this item. However, this is a common port that's good to at least safe to assume is ssh. Let's leave that conversation as is.
Answer
ssh
Q: What flag can you find after successfully accessing the Samba service?
We can use smbclient to try and get some information. I like to refer to HackTricks for some quick items. Sure enough. We can run smbclient --no-pass -L //$ip to see what potential shares are open. Ironically, this took me a second because I jumped to the questions and did not fully read. I noticed that the modules are building on each other so we had to use creds from previous module against some of these shares. The one in question looks juicy. You can use smbclient -U username //$ip/sharename to connect. Then use the "help" command to identify some potential recon options.
Answer
{THM_SANTA_SMB_SERVER}
Q: What is the password for the username santahr?
I chose to use "get" within smb to pull the files back to my kali box and read them there. I think you can read files within smb but, I just figured it was easier to pull back.
Answer
santa25
Q: If you want to learn more scanning techniques, we have a module dedicated to Nmap!
No Answer Needed.