🦌 HTB Fawn — Solution Notes

Platform: Hack The Box — Starting Point (Tier 0) Machine: Fawn OS: Linux Difficulty: Very Easy Vulnerability Type: Misconfiguration — SMB Null Session (Unauthenticated Access)

🗺️ Attack Chain

Nmap → SMB (Port 445) discovery → List shares via Null Session → Connect to WorkShares → Download flag.txt → Read it

🧠 How Does a Hacker Think? — Before You Begin

When port 445 shows up in a scan, immediately ask yourself: "Does this SMB service require authentication?"

1️⃣ Reconnaissance

Port Scanning

bash

nmap -p- --min-rate 5000 -sV <TARGET_IP>

Findings:

Port 445 = SMB. This protocol is used for file and printer sharing on Windows systems. It can also run on Linux via Samba.

🧠 How Does a Hacker Think? — First Look at SMB

When you see SMB, these questions should be running through your head:

2️⃣ Enumeration — Listing Shares

💡 What is SMB (Server Message Block)?

bash

smbclient -L <TARGET_IP> # Password: (leave blank, just press Enter)

💡 Parameter Explanation:

Example Output:

Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC WorkShares Disk

WorkShares does not end in $ → it may contain user data. This is our first target.

3️⃣ Exploitation — Connecting to a Share

💡 What is smbclient?

bash

smbclient //<TARGET_IP>/WorkShares # Password: (leave blank, press Enter)

4️⃣ Navigation Inside the SMB Client

💡 SMB Client Commands

bash

smb: \> ls smb: \> cd Amy.J smb: \> ls smb: \> get worknotes.txt smb: \> cd .. smb: \> cd James.P smb: \> get flag.txt smb: \> exit

5️⃣ Reading the Flag

💡 Why Can't We Read It on the Server?

bash

cat flag.txt

🧠 How Does a Hacker Think? — Why Did This Vulnerability Exist?

The SMB Null Session vulnerability is not a technical bug — it's a configuration error. The sysadmin either:

6️⃣ Remediation

bash

# The following settings should be applied in smb.conf: # 1. Disable guest access map to guest = Never guest ok = no # 2. Enforce SMB signing server signing = mandatory # 3. Disable old and insecure SMB versions min protocol = SMB2

📚 Concepts Learned

• SMB: Port 445, Windows/Linux file sharing protocol
• Null Session: Unauthenticated SMB connection — most common misconfiguration
• smbclient -L: Listing available shares
• Shares ending in $ : System shares, require admin privileges
• get command: Downloading a file to the local machine
• SMB = File System: Can't cat on the server — must get first

🔑 General Hacker Mindset Summary

1. When you see port 445, try Null Session first: smbclient -L <IP> → leave password blank and press Enter.
2. Shares not ending in $ are your first target: These are user-created and likely contain data.
3. cat doesn't work in SMB, use get: Download the file first, then read it in your local terminal.
4. Misconfiguration = human error: Configuration mistakes open more doors than technical vulnerabilities.
5. "I'll close it later" is never a safe plan: The most common security holes come from decisions made "just for now."