SMB
Nmap discovered a Windows Directory service on the target port 445
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ nmap --script smb-enum-shares -sV -p445 $IP
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-09 03:44 CET
Nmap scan report for 10.10.10.237
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds microsoft windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
service info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows
host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.237\admin$:
| type: STYPE_DISKTREE_HIDDEN
| comment: Remote Admin
| anonymous access: <none>
| current user access: <none>
| \\10.10.10.237\c$:
| type: STYPE_DISKTREE_HIDDEN
| comment: Default share
| anonymous access: <none>
| current user access: <none>
| \\10.10.10.237\ipc$:
| type: STYPE_IPC_HIDDEN
| comment: Remote IPC
| anonymous access: <none>
| current user access: READ/WRITE
| \\10.10.10.237\software_updates:
| type: STYPE_DISKTREE
| comment:
| anonymous access: <none>
|_ current user access: READ/WRITE
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 35.20 secondsWhile additional Nmap scan failed to map the SMB shares, it enumerated them The target SMB server does allow anonymous access
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ crackmapexec smb $IP -u ' ' -p ' ' --shares
SMB 10.10.10.237 445 ATOM [*] Windows 10 Pro 19042 x64 (name:ATOM) (domain:ATOM) (signing:False) (SMBv1:True)
SMB 10.10.10.237 445 ATOM [+] ATOM\ :
SMB 10.10.10.237 445 ATOM [+] Enumerated shares
SMB 10.10.10.237 445 ATOM Share Permissions Remark
SMB 10.10.10.237 445 ATOM ----- ----------- ------
SMB 10.10.10.237 445 ATOM ADMIN$ Remote Admin
SMB 10.10.10.237 445 ATOM C$ Default share
SMB 10.10.10.237 445 ATOM IPC$ Remote IPC
SMB 10.10.10.237 445 ATOM Software_Updates READ,WRITE The Software_Updates share is the sole none default SMB share that grants both read and write access to anonymous users
Software_Updates
┌──(kali㉿kali)-[~/archive/htb/labs/atom]
└─$ smbclient //$IP/Software_Updates
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. d 0 tue jan 9 03:45:44 2024
.. d 0 tue jan 9 03:45:44 2024
client1 d 0 tue jan 9 03:43:59 2024
client2 d 0 tue jan 9 03:43:59 2024
client3 d 0 tue jan 9 03:43:59 2024
uat_testing_procedures.pdf a 35202 fri apr 9 13:18:08 2021
4413951 blocks of size 4096. 1364665 blocks availableThere are 3 sub-directories as well as a PDF file
┌──(kali㉿kali)-[~/…/htb/labs/atom/smb]
└─$ smbget --recursive smb://$IP/Software_Updates/
password for [workgroup\kali]:
using domain: WORKGROUP, user: kali
smb://10.10.10.237/Software_Updates//UAT_Testing_Procedures.pdf
Downloaded 34.38kB in 4 secondsI will download them all to Kali
┌──(kali㉿kali)-[~/…/htb/labs/atom/smb]
└─$ tree -a -f .
.
├── ./client1
├── ./client2
├── ./client3
└── ./UAT_Testing_Procedures.pdf
4 directories, 1 fileInterestingly, those 3 sub-directories are empty and only the PDF file seems valid
UAT_Testing_Procedures.pdf
The UAT_Testing_Procedures.pdf file is an internal QA documentation regarding, Heed, a note-taking application built with “electron-builder” that currently appears to be in development. It points out the limited feature that it functions as a “one-tier” thick client app that doesn’t have server interaction. Lastly, the PDF file goes over the QA procedure;
1. Build and install the application to make sure it works as we expect it to be.
2. Make sure that the update server running is in a private hardened instance. To initiate the QA process, just place the updates in one of the “client” folders, and the appropriate QA team will test it to ensure it finds an update and installs it correctly.
3. Follow the checklist to see if all given features are working as expected by the developer.
Based on the assessment above, it is assumed that
- the Heed application is an Electron application
- 3 “client” directories found in the
Software_Updatesshare is basically a QA pipeline for “electron-builder”- They are meant to contain “updates”
- Likely done periodically by a scheduled task
- While enumerating the backend, “electron-builder”, cannot be achieved at the moment, this may be the entry point if a vulnerable version is handling the update
- Further investigation is required
- They are meant to contain “updates”
Metadata
┌──(kali㉿kali)-[~/…/htb/labs/atom/smb]
└─$ exiftool UAT_Testing_Procedures.pdf
exiftool version number : 12.67
file name : UAT_Testing_Procedures.pdf
directory : .
file size : 35 kB
file modification date/time : 2024:01:09 03:49:45+01:00
file access date/time : 2024:01:09 03:49:45+01:00
file inode change date/time : 2024:01:09 03:49:45+01:00
file permissions : -rwxr-xr-x
file type : PDF
file type extension : pdf
mime type : application/pdf
linearized : No
page count : 2
profile cmm type : Linotronic
profile version : 2.1.0
profile class : Display Device Profile
color space data : RGB
profile connection space : XYZ
profile date time : 1998:02:09 06:49:00
profile file signature : acsp
primary platform : Microsoft Corporation
cmm flags : Not Embedded, Independent
device manufacturer : Hewlett-Packard
device model : sRGB
device attributes : Reflective, Glossy, Positive, Color
rendering intent : Perceptual
connection space illuminant : 0.9642 1 0.82491
profile creator : Hewlett-Packard
profile id : 0
profile copyright : Copyright (c) 1998 Hewlett-Packard Company
profile description : sRGB IEC61966-2.1
media white point : 0.95045 1 1.08905
media black point : 0 0 0
red matrix column : 0.43607 0.22249 0.01392
green matrix column : 0.38515 0.71687 0.09708
blue matrix column : 0.14307 0.06061 0.7141
device mfg desc : IEC http://www.iec.ch
device model desc : IEC 61966-2.1 Default RGB colour space - sRGB
viewing cond desc : Reference Viewing Condition in IEC61966-2.1
viewing cond illuminant : 19.6445 20.3718 16.8089
viewing cond surround : 3.92889 4.07439 3.36179
viewing cond illuminant type : D50
luminance : 76.03647 80 87.12462
measurement observer : CIE 1931
measurement backing : 0 0 0
measurement geometry : Unknown
measurement flare : 0.999%
measurement illuminant : D65
technology : Cathode Ray Tube Display
red tone reproduction curve : (Binary data 2060 bytes, use -b option to extract)
green tone reproduction curve : (Binary data 2060 bytes, use -b option to extract)
blue tone reproduction curve : (Binary data 2060 bytes, use -b option to extract)
pdf version : 1.4
tagged pdf : Yes
title : UAT_Testing_Procedures
producer : macOS Version 10.15.7 (Build 19H2) Quartz PDFContext
creator : Pages
create date : 2021:04:09 11:15:18Z
modify date : 2021:04:09 11:15:18ZNothing of noteworthy in the metadata