SMB

Nmap discovered a SMB server on the target port 139 and 445 The service issamba smbd 4.7.6 and hostname is FRIENDZONE based on the NetBIOS enumeration

Hostname has been appended to the /etc/hosts file on Kali for local DNS resolution

Running an additional Nmap scan for enumeration

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ nmap -Pn --script smb-enum-* -sV -p445 $IP
starting nmap 7.93 ( https://nmap.org ) at 2023-01-26 02:35 CET
Nmap scan report for 10.10.10.123
Host is up (0.028s latency).
 
PORT    STATE SERVICE     VERSION
445/tcp open  netbios-ssn samba smbd 3.x - 4.x (workgroup: WORKGROUP)
service info: Host: FRIENDZONE
 
host script results:
| smb-enum-sessions: 
|_  <nobody>
| smb-enum-domains: 
|   Builtin
|     groups: n/a
|     users: n/a
|     creation time: unknown
|     passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|     Account lockout disabled
|   FRIENDZONE
|     groups: n/a
|     users: n/a
|     creation time: unknown
|     passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|_    Account lockout disabled
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.123\development: 
|     type: STYPE_DISKTREE
|     comment: FriendZone Samba Server Files
|     users: 0
|     max users: <unlimited>
|     path: C:\etc\Development
|     anonymous access: READ/WRITE
|     current user access: READ/WRITE
|   \\10.10.10.123\files: 
|     type: STYPE_DISKTREE
|     comment: FriendZone Samba Server Files /etc/Files
|     users: 0
|     max users: <unlimited>
|     path: C:\etc\hole
|     anonymous access: <none>
|     current user access: <none>
|   \\10.10.10.123\ipc$: 
|     type: STYPE_IPC_HIDDEN
|     comment: IPC Service (FriendZone server (Samba, Ubuntu))
|     users: 2
|     max users: <unlimited>
|     path: C:\tmp
|     anonymous access: READ/WRITE
|     current user access: READ/WRITE
|   \\10.10.10.123\general: 
|     type: STYPE_DISKTREE
|     comment: FriendZone Samba Server Files
|     users: 0
|     max users: <unlimited>
|     path: C:\etc\general
|     anonymous access: READ/WRITE
|     current user access: READ/WRITE
|   \\10.10.10.123\print$: 
|     type: STYPE_DISKTREE
|     comment: Printer Drivers
|     users: 0
|     max users: <unlimited>
|     path: C:\var\lib\samba\printers
|     anonymous access: <none>
|_    current user access: <none>
 
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 306.60 seconds

Nmap’s smb-enum-shares NSE script is particularly great because it maps the absolute path of the enumerated SMB shares

Null Session

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ smbmap -H $IP -u ' ' -p ' '                              
[+] Guest session   	IP: 10.10.10.123:445	Name: 10.10.10.123                                      
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	Files                                             	NO ACCESS	FriendZone Samba Server Files /etc/Files
	general                                           	READ ONLY	FriendZone Samba Server Files
	Development                                       	READ, WRITE	FriendZone Samba Server Files
	IPC$                                              	NO ACCESS	IPC Service (FriendZone server (Samba, Ubuntu))

It would appear that anonymous login is allowed to the SMB server, and I have the read access to the general share and both read and write access to the Development shares

//FRIENDZONE/general

According to the earlier Nmap scan above, this SMB share is mapped to the \etc\general directory of the target system

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ smbclient //FRIENDZONE/general                     
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   d        0  wed jan 16 21:10:51 2019
  ..                                  d        0  tue sep 13 16:56:24 2022
  creds.txt                           n       57  wed oct 10 01:52:42 2018
 
		3545824 blocks of size 1024. 1651332 blocks available
 
smb: \> get creds.txt 
getting file \creds.txt of size 57 as creds.txt (0.5 KiloBytes/sec) (average 0.5 KiloBytes/sec)

There is a file inside the \\FRIENDZONE\general share. It appears to contain a list of credentials I downloaded the file.

┌──(kali㉿kali)-[~/…/htb/labs/friendzone/smb]
└─$ cat creds.txt    
creds for the admin thing:
 
admin:WORKWORKHhallelujah@#

It is a credential. admin:WORKWORKHhallelujah@# I tried validating the credential to available services such as FTP, SMB, and SSH, none of them worked. I suspect that this is likely a web credential

//FRIENDZONE/Development

According to the earlier Nmap scan above, this SMB share is mapped to the /etc/Development directory of the target system

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ smbclient //FRIENDZONE/Development
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jan 26 02:44:36 2023
  ..                                  D        0  Tue Sep 13 16:56:24 2022
 
		3545824 blocks of size 1024. 1651332 blocks available

The \\FRIENDZONE\Development share is empty

InfoSec LAB

Explorer

FriendZone_SMB

SMB

Null Session

//FRIENDZONE/general

//FRIENDZONE/Development

Interactive Graph View

Table of Contents

Backlinks