SMB
Nmap discovered a Windows Directory service on the target port 139 and 445
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/blue]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-05 15:14 CEST
Nmap scan report for 10.10.10.40
Host is up (0.094s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.10.40\ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.40\C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \\10.10.10.40\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: READ
| Current user access: READ/WRITE
| \\10.10.10.40\Share:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
| Current user access: READ
| \\10.10.10.40\Users:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.14 secondsAttempting to map the SMB shares fails due to lack of privileges
Users
┌──(kali㉿kali)-[~/archive/htb/labs/blue]
└─$ smbclient //$IP/Users
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. dr 0 fri jul 21 08:56:23 2017
.. dr 0 fri jul 21 08:56:23 2017
default dhr 0 tue jul 14 09:07:31 2009
desktop.ini ahs 174 tue jul 14 06:54:24 2009
public dr 0 tue apr 12 09:51:29 2011
4692735 blocks of size 4096. 657932 blocks availablewhile i have read access to the //$ip/users share, it seems to be mapped to the c:\Users directory
The strange thing is that there isn’t any home directory and that suggests that the target system has never been logged in
Share
┌──(kali㉿kali)-[~/archive/htb/labs/blue]
└─$ smbclient //$IP/Share
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jul 14 15:48:44 2017
.. D 0 Fri Jul 14 15:48:44 2017
4692735 blocks of size 4096. 657932 blocks availableThe //$IP/Share share is empty
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/blue]
└─$ nmap --script smb-vuln-* -p139,445 $IP
starting nmap 7.93 ( https://nmap.org ) at 2023-04-05 15:36 CEST
Nmap scan report for 10.10.10.40
Host is up (0.095s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
host script results:
| smb-vuln-ms17-010:
| vulnerable:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| state: VULNERABLE
| ids: CVE:CVE-2017-0143
| risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| disclosure date: 2017-03-14
| references:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
|_smb-vuln-ms10-054: false
nmap done: 1 IP address (1 host up) scanned in 14.32 secondschecking for vulnerability by performing an additional nmap scan reveals that the target smb server is vulnerable to remote code execution from [[blue_cve-2017-0143#cve-2017-0143|CVE-2017-0143]], also known as MS17-010
Moving on to Exploitation phase