InfoSec LAB

Flight_SMB_s.moon

Created: 3 min read

s.moon Session

Checking the SMB server with the TGT of the s.moon user

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ KRB5CCNAME=s.moon@g0.flight.htb.ccache crackmapexec smb g0.flight.htb -k --use-kcache --kdcHost g0.flight.htb --shares
smb         g0.flight.htb   445    g0               [*] windows 10.0 build 17763 x64 (name:G0) (domain:flight.htb) (signing:True) (SMBv1:False)
SMB         g0.flight.htb   445    G0               [+] flight.htb\ from ccache 
SMB         g0.flight.htb   445    G0               [+] Enumerated shares
SMB         g0.flight.htb   445    G0               Share           Permissions     Remark
SMB         g0.flight.htb   445    G0               -----           -----------     ------
SMB         g0.flight.htb   445    G0               ADMIN$                          Remote Admin
SMB         g0.flight.htb   445    G0               C$                              Default share
SMB         g0.flight.htb   445    G0               IPC$            READ            Remote IPC
SMB         g0.flight.htb   445    G0               NETLOGON        READ            Logon server share 
SMB         g0.flight.htb   445    G0               Shared          READ,WRITE      
SMB         g0.flight.htb   445    G0               SYSVOL          READ            Logon server share 
SMB         g0.flight.htb   445    G0               Users           READ            
SMB         g0.flight.htb   445    G0               Web             READ

Although those 3 SMB shares have already been enumerated, there is one difference here The s.moon user has write access to the Shared share

\\g0.flight.htb\Shared

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ KRB5CCNAME=s.moon@g0.flight.htb.ccache impacket-smbclient flight.htb/@g0.flight.htb -no-pass -k -target-ip $IP -dc-ip $IP 
Impacket v0.11.0 - Copyright 2023 Fortra
 
Type help for list of commands
# use Shared
# ls
drw-rw-rw-          0  Mon Dec 11 23:52:52 2023 .
drw-rw-rw-          0  Mon Dec 11 23:52:52 2023 ..

As expected, the \\g0.flight.htb\Shared share is empty

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ echo blahblah > test.txt                                                                               
# put test.txt
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

However, attempting to place a testing file into the share fails This is rather unexpected as the testing result from crackmapexec above returned that the current user s.moon does have write access to the share

Observation

# mkdir tmp
# ls
drw-rw-rw-          0  tue dec 12 00:00:30 2023 .
drw-rw-rw-          0  tue dec 12 00:00:30 2023 ..
drw-rw-rw-          0  tue dec 12 00:00:30 2023 tmp
 
# ls
drw-rw-rw-          0  tue dec 12 00:11:35 2023 .
drw-rw-rw-          0  tue dec 12 00:11:35 2023 ..

I can create a directory within the share Additionally, the whole share seems to get wiped off periodically

# put test.ini
# put test.xml
# ls
drw-rw-rw-          0  tue dec 12 00:22:26 2023 .
drw-rw-rw-          0  tue dec 12 00:22:26 2023 ..
-rw-rw-rw-          0  tue dec 12 00:22:26 2023 test.ini
-rw-rw-rw-          0  tue dec 12 00:22:39 2023 test.xml

After some more trials and errors, I found out that the write access is specific to file extensions I was able to place a testing file with .ini and .xml extensions

Given the share is being actively interacted (wiped off) periodically, the NTLM theft technique might be worth looking into

Interactive Graph View

Backlinks