InfoSec LAB

APT_SMB

Created: 2 min read

SMB

Nmap discovered a Windows Directory service on the target IPv6 port 445

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ nmap --script smb-enum-shares -sV -p139,445 -6 $IPv6
starting nmap 7.94 ( https://nmap.org ) at 2023-10-22 15:26 CEST
nmap scan report for apt (dead:beef::b885:d62a:d679:573f)
Host is up (0.11s latency).
 
PORT    STATE    SERVICE      VERSION
139/tcp filtered netbios-ssn
445/tcp open     microsoft-ds microsoft windows server 2008 r2 - 2012 microsoft-ds (workgroup: HTB)
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
host script results:
| smb-enum-shares: 
|   account_used: <blank>
|   \\dead:beef::b885:d62a:d679:573f\IPC$: 
|     type: STYPE_IPC_HIDDEN
|     comment: Remote IPC
|     anonymous access: READ
|   \\dead:beef::b885:d62a:d679:573f\NETLOGON: 
|     type: STYPE_DISKTREE
|     comment: Logon server share 
|     anonymous access: <none>
|   \\dead:beef::b885:d62a:d679:573f\SYSVOL: 
|     type: STYPE_DISKTREE
|     comment: Logon server share 
|     anonymous access: <none>
|   \\dead:beef::b885:d62a:d679:573f\backup: 
|     type: STYPE_DISKTREE
|     comment: 
|_    anonymous access: READ
 
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 55.35 seconds

Attempting to map the SMB shares with an additional nmap scan fails due to lack of privileges

Null Session

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ smbclient -L //apt.htb.local/
Password for [WORKGROUP\kali]:
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
	backup          Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
apt.htb.local is an IPv6 address -- no workgroup available

As discovered earlier, //apt.htb.local/backup is the only none default SMB share

//apt.htb.local/backup

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ smbclient //apt.htb.local/backup 
password for [workgroup\kali]:
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   d        0  thu sep 24 09:30:52 2020
  ..                                  d        0  thu sep 24 09:30:52 2020
  backup.zip                          a 10650961  thu sep 24 09:30:32 2020
 
		5114623 blocks of size 4096. 2631639 blocks available

There is a single archive file, backup.zip , within the //apt.htb.local/backup share

smb: \> get backup.zip 
getting file \backup.zip of size 10650961 as backup.zip (2447.4 KiloBytes/sec) (average 2447.4 KiloBytes/sec)

Downloading the archive to Kali for further analysis

Interactive Graph View

Backlinks