SMB
Nmap discovered a Windows Directory service on the target port 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ nmap -Pn --script smb-enum-shares -sV -p139,445 $IP
starting nmap 7.94 ( https://nmap.org ) at 2023-08-12 17:31 CEST
Nmap scan report for sequel.htb (10.10.11.202)
Host is up (0.096s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 15.58 secondsRunning an additional Nmap scan shows that the authentication is required to map the SMB shares
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ smbclient -L //dc.sequel.htb/
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Public Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to dc.sequel.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThere is a single none-default share; Public
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ smbclient //dc.sequel.htb/Public
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 19 12:51:25 2022
.. D 0 Sat Nov 19 12:51:25 2022
SQL Server Procedures.pdf A 49551 Fri Nov 18 14:39:43 2022
5184255 blocks of size 4096. 1476233 blocks available
smb: \> get "SQL Server Procedures.pdf"
getting file \SQL Server Procedures.pdf of size 49551 as SQL Server Procedures.pdf (100.6 KiloBytes/sec) (average 100.6 KiloBytes/sec)Within the //dc.sequel.htb/Public share, there is a single PDF available; SQL Server Procedures.pdf
I also downloaded the file.
┌──(kali㉿kali)-[~/…/htb/labs/escape/smb]
└─$ file SQL\ Server\ Procedures.pdf
sql server procedures.pdf: PDF document, version 1.4, 2 pages
┌──(kali㉿kali)-[~/…/htb/labs/escape/smb]
└─$ exiftool SQL\ Server\ Procedures.pdf
exiftool version number : 12.63
file name : SQL Server Procedures.pdf
directory : .
file size : 50 kB
file modification date/time : 2023:08:12 18:01:16+02:00
file access date/time : 2023:08:12 18:02:07+02:00
file inode change date/time : 2023:08:12 18:01:43+02:00
file permissions : -rw-r--r--
file type : PDF
file type extension : pdf
mime type : application/pdf
pdf version : 1.4
linearized : No
page count : 2
creator : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) obsidian/0.15.6 Chrome/100.0.4896.160 Electron/18.3.5 Safari/537.36
producer : Skia/PDF m100
create date : 2022:11:18 13:39:43+00:00
modify date : 2022:11:18 13:39:43+00:00Performing some basic file enumeration prior to reviewing the content
- It’s a PDF document, version 1.4.
- I find it interesting that the
Creatorattribute has a value set to what appears to be the user-agent header exclusively used by web browsers- While the user-agent strings are primarily used in HTTP requests to identify the client making the request, not typically in PDF metadata.
- Given the unusual combination of components in this user-agent string and the fact that it’s being used in the
Creatorattribute of a PDF file, it’s possible that it was manually or programmatically set as a custom value by someone generating or modifying the PDF. It doesn’t directly indicate a single specific origin since it’s a composition of elements from various technologies.
- Given the unusual combination of components in this user-agent string and the fact that it’s being used in the
- While the user-agent strings are primarily used in HTTP requests to identify the client making the request, not typically in PDF metadata.
- Another interesting thing is that the
Producerattribute has a value set toSkia/PDF m100- this adds more context to the origin of the pdf file. this metadata indicates that the pdf was produced or generated using skia, a 2D graphics library commonly used for rendering in applications.
- the fact that the pdf was generated with
skia/pdf m100as the producer suggests that the pdf was created using software that utilizes the skia graphics library.
Therefore, it is safe to assume that the PDF was generated by a custom application or software that uses Electron and the Skia graphics library for rendering, possibly for generating PDF content from web-based or desktop applications.
By checking the content of the PDF file, I can establish a few things;
- The organization has a breach history with SQL instances
- likely caused by a user,
Ryan,who put a mock instance on the DC host
- likely caused by a user,
- A new database policy for access control and testing on a dedicated “mock” DC set by a user,
Tom- scheduled to be removed as soon as the
Tomuser comes back from vacation - suggestion to make use of download sql server management studio (ssms) for domain joined machine
- suggestion to use the cmdkey command to interact with the database for non domain joined machine
brandon.brown@sequel.htbis the contact address of theBrandonuser, who is presumably an administrator- This reveals the naming convention that the organization uses
publicuser:GuestUserCantWrite1is the credential given to those new employees- suggestion to switch from “Windows Authentication” to “SQL Server Authentication”
- seems to be a credential for the SQL instance, NOT a system or domain credential
- suggestion to switch from “Windows Authentication” to “SQL Server Authentication”
- scheduled to be removed as soon as the
With the information provided above, I will first validate the credential and move forward from there.