Recon

To start the recon, we launch a nmap in Silent Mode to scan and know the open ports on the machine, don't apply DNS resolution and export the file to a format we can use grep.

Then launch a deep scan to know the version and the service running on that ports we discover open in the last scan.

We found an interesting port, the port 445.

In Windows Machines usually use this port to run the SMB Server. Link to document

Test Miss Configurations

If the SMB server has miss configurations you can list the folders on the server, as follows:

Lets try to get into a folder of smb server, as follows:

And we are inside the machine.

You can see some tricks in the next page Hack Tricks Link

Get The Flag

We can move inside the folders and search a hint to the flag, lets start with cd and you can get used to commands with the command help.

In this folder we found a file called worknotes.txt download it to your machine with the command get.

Go to your local machine and use the command cat to see if the file have a hints.

We found nothing.

Lets see the other Directory.

And we found the flag let's get the file to your local machine and read it with cat.

And congratulations you have pwned the machine.