SMB
Nmap discovered a Windows Directory service running on the target port 139 and 445
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ smbclient -L //FABRICORP.LOCAL/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to FABRICORP.LOCAL failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableIt would seem that the SMB server allows anonymous login, but lack of privileges results not being able to list out shares, let alone connecting to them
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 2 14:51:57 2023
[...REDACTED...]
================================( Getting domain SID for 10.10.10.193 )================================
Domain Name: FABRICORP
Domain Sid: S-1-5-21-2633719317-1471316042-3957863514
[+] Host is part of a domain (not a workgroup)
[...REDACTED...]I was at least get the SID of the domain with enum4linux
Nothing else to do without a valid credential
bnielson/bhult/tlabel Session
Using valid domain credentials from multiple sources, I am now able to authenticate to the SMB server and enumerate it
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ smbmap -H fuse.fabricorp.local -d FABRICORP.LOCAL -u bhult -p Qwer1235
[+] ip: fuse.fabricorp.local:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
HP-MFT01 NO ACCESS HP-MFT01
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
print$ READ ONLY Printer Drivers
SYSVOL READ ONLY Logon server share There are 4 SMB shares that are read-only accessible and those are just default shares from either AD or SMB service
It shows that I have authenticated to the SMB server as the bhult user, but the result is the same for the rest of users; bnielson and tlabel
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ smbmap -H fuse.fabricorp.local -d FABRICORP.LOCAL -u bnielson -p Qwer1234 -R
[+] ip: fuse.fabricorp.local:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
HP-MFT01 NO ACCESS HP-MFT01
IPC$ READ ONLY Remote IPC
.\IPC$\*
fr--r--r-- 3 mon jan 1 00:09:21 1601 InitShutdown
fr--r--r-- 5 mon jan 1 00:09:21 1601 lsass
fr--r--r-- 3 mon jan 1 00:09:21 1601 ntsvcs
fr--r--r-- 3 mon jan 1 00:09:21 1601 scerpc
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-364-0
fr--r--r-- 3 mon jan 1 00:09:21 1601 epmapper
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-1e0-0
fr--r--r-- 3 mon jan 1 00:09:21 1601 LSM_API_service
fr--r--r-- 3 mon jan 1 00:09:21 1601 eventlog
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-3c0-0
fr--r--r-- 4 mon jan 1 00:09:21 1601 wkssvc
fr--r--r-- 3 mon jan 1 00:09:21 1601 atsvc
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-114-0
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-26c-0
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-26c-1
fr--r--r-- 3 mon jan 1 00:09:21 1601 RpcProxy\49675
fr--r--r-- 3 mon jan 1 00:09:21 1601 a744b74e88b37665
fr--r--r-- 3 mon jan 1 00:09:21 1601 RpcProxy\593
fr--r--r-- 4 mon jan 1 00:09:21 1601 srvsvc
fr--r--r-- 4 mon jan 1 00:09:21 1601 spoolss
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-56c-0
fr--r--r-- 3 mon jan 1 00:09:21 1601 efsrpc
fr--r--r-- 3 mon jan 1 00:09:21 1601 netdfs
fr--r--r-- 1 mon jan 1 00:09:21 1601 vgauth-service
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-264-0
fr--r--r-- 3 mon jan 1 00:09:21 1601 W32TIME_ALT
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-868-0
fr--r--r-- 1 mon jan 1 00:09:21 1601 Winsock2\CatalogChangeListener-80c-0
fr--r--r-- 1 mon jan 1 00:09:21 1601 HPUPDMon
NETLOGON READ ONLY Logon server share
.\NETLOGON\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
print$ READ ONLY Printer Drivers
.\print$\*
dr--r--r-- 0 sat may 30 02:12:41 2020 .
dr--r--r-- 0 sat may 30 02:12:41 2020 ..
dr--r--r-- 0 wed may 27 08:34:48 2020 color
dr--r--r-- 0 sat may 30 02:12:41 2020 IA64
dr--r--r-- 0 mon jun 1 11:03:44 2020 W32X86
dr--r--r-- 0 mon jun 1 11:03:46 2020 x64
.\print$\color\*
dr--r--r-- 0 wed may 27 08:34:48 2020 .
dr--r--r-- 0 wed may 27 08:34:48 2020 ..
fr--r--r-- 1058 wed may 27 08:34:31 2020 D50.camp
fr--r--r-- 1079 wed may 27 08:34:31 2020 D65.camp
fr--r--r-- 797 wed may 27 08:34:31 2020 Graphics.gmmp
fr--r--r-- 838 wed may 27 08:34:31 2020 MediaSim.gmmp
fr--r--r-- 786 wed may 27 08:34:31 2020 Photo.gmmp
fr--r--r-- 822 wed may 27 08:34:31 2020 Proofing.gmmp
fr--r--r-- 218103 wed may 27 08:34:31 2020 RSWOP.icm
fr--r--r-- 3144 wed may 27 08:34:31 2020 sRGB Color Space Profile.icm
fr--r--r-- 17155 wed may 27 08:34:31 2020 wscRGB.cdmp
fr--r--r-- 1578 wed may 27 08:34:31 2020 wsRGB.cdmp
.\print$\W32X86\*
dr--r--r-- 0 mon jun 1 11:03:46 2020 .
dr--r--r-- 0 mon jun 1 11:03:46 2020 ..
dr--r--r-- 0 mon jun 1 11:03:46 2020 3
dr--r--r-- 0 mon jun 1 11:03:46 2020 PCC
dr--r--r-- 0 sat may 30 02:12:42 2020 {BB95B51E-0165-449F-A3A9-41764F5FD934}
.\print$\W32X86\3\*
dr--r--r-- 0 mon jun 1 11:03:46 2020 .
dr--r--r-- 0 mon jun 1 11:03:46 2020 ..
fr--r--r-- 1048576 mon jun 1 11:03:46 2020 mxdwdrv.dll
fr--r--r-- 2808320 mon jun 1 11:03:46 2020 PrintConfig.dll
fr--r--r-- 53 sat may 30 02:12:42 2020 unishare-pipelineconfig.xml
fr--r--r-- 3360 sat may 30 02:12:42 2020 unishare.gpd
.\print$\W32X86\PCC\*
dr--r--r-- 0 mon jun 1 11:03:46 2020 .
dr--r--r-- 0 mon jun 1 11:03:46 2020 ..
fr--r--r-- 3685458 mon jun 1 11:03:46 2020 ntprint.inf_x86_dcef07064d319714.cab
fr--r--r-- 1069728 mon jun 1 11:03:44 2020 prnms003.inf_x86_613ce7e3b2821cb8.cab
.\print$\W32X86\{BB95B51E-0165-449F-A3A9-41764F5FD934}\*
dr--r--r-- 0 sat may 30 02:12:42 2020 .
dr--r--r-- 0 sat may 30 02:12:42 2020 ..
fr--r--r-- 2717184 thu jun 11 04:15:26 2020 PrintConfig.dll
.\print$\x64\*
dr--r--r-- 0 mon jun 1 11:03:46 2020 .
dr--r--r-- 0 mon jun 1 11:03:46 2020 ..
dr--r--r-- 0 mon jun 1 11:03:47 2020 3
dr--r--r-- 0 mon jun 1 11:03:47 2020 PCC
dr--r--r-- 0 mon jun 1 11:03:48 2020 {A93D2C7C-3D97-464A-8A68-C4378572B2A8}
dr--r--r-- 0 sat may 30 02:12:42 2020 {AFE7B823-9022-4115-8EF7-E23779245CB9}
.\print$\x64\3\*
dr--r--r-- 0 mon jun 1 11:03:48 2020 .
dr--r--r-- 0 mon jun 1 11:03:48 2020 ..
fr--r--r-- 32904 sat may 30 02:34:19 2020 cioum.dll
fr--r--r-- 524288 sat may 30 02:34:19 2020 cioum64.msi
dr--r--r-- 0 wed may 27 08:34:48 2020 en-US
fr--r--r-- 61064 sat may 30 02:34:19 2020 FxCompChannel_x64.dll
fr--r--r-- 4841504 sat may 30 02:34:19 2020 hpbcfgre.dll
fr--r--r-- 899208 sat may 30 02:34:19 2020 hpbdrvjct1004.dll
fr--r--r-- 1443872 sat may 30 02:34:19 2020 hpbuio64.dll
fr--r--r-- 958488 sat may 30 02:34:19 2020 hpbuiodm64.dll
fr--r--r-- 13133 sat may 30 02:34:19 2020 hpc6m240.gpd
fr--r--r-- 2366088 sat may 30 02:34:19 2020 hpc6r240.dll
fr--r--r-- 573576 sat may 30 02:34:19 2020 hpcc6240.dll
fr--r--r-- 1771144 sat may 30 02:34:19 2020 hpcdmc64.dll
fr--r--r-- 881800 sat may 30 02:34:19 2020 hpcev240.dll
fr--r--r-- 3785528 sat may 30 02:34:19 2020 hpchl240.cab
fr--r--r-- 2023560 sat may 30 02:34:19 2020 hpcls240.dll
fr--r--r-- 785032 sat may 30 02:34:19 2020 hpcpe240.dll
fr--r--r-- 542856 sat may 30 02:34:19 2020 hpcpn240.dll
fr--r--r-- 804488 sat may 30 02:34:19 2020 hpcpp240.dll
fr--r--r-- 365190 sat may 30 02:34:19 2020 hpcpu240.cfg
fr--r--r-- 188040 sat may 30 02:34:19 2020 hpcsat20.dll
fr--r--r-- 9273 sat may 30 02:34:19 2020 hpcsc240.dtd
fr--r--r-- 131029 sat may 30 02:34:19 2020 hpcsm240.gpd
fr--r--r-- 1033352 sat may 30 02:34:19 2020 hpcss240.dll
fr--r--r-- 6978184 sat may 30 02:34:19 2020 hpcst240.dll
fr--r--r-- 1339 sat may 30 02:34:19 2020 hpcu240.dem
fr--r--r-- 524332 sat may 30 02:25:45 2020 hpcu2406.BUD
fr--r--r-- 679869 sat may 30 02:34:19 2020 hpcu2406.gpd
fr--r--r-- 244 sat may 30 02:34:19 2020 hpcu2406.hpx
fr--r--r-- 288300 sat may 30 02:34:19 2020 hpcu2406.xml
fr--r--r-- 65563 sat may 30 02:34:19 2020 hpcu2406dm.xml
fr--r--r-- 8161 sat may 30 02:34:19 2020 hpcu2406SPS.xml
fr--r--r-- 624 sat may 30 02:34:19 2020 hpcu240u.ini
fr--r--r-- 5508744 sat may 30 02:34:19 2020 hpcui240.dll
fr--r--r-- 3884680 sat may 30 02:34:19 2020 hpcur240.dll
fr--r--r-- 313992 sat may 30 02:34:19 2020 hpfie240.dll
fr--r--r-- 146568 sat may 30 02:34:19 2020 hpfxcomw.dll
fr--r--r-- 1049736 sat may 30 02:34:19 2020 hpmdp240.dll
fr--r--r-- 229512 sat may 30 02:34:19 2020 hpmpm082.dll
fr--r--r-- 127624 sat may 30 02:34:19 2020 hpmpw082.dll
fr--r--r-- 1267848 sat may 30 02:34:19 2020 hpmsl240.dll
fr--r--r-- 920200 sat may 30 02:34:19 2020 hpmur240.dll
fr--r--r-- 2061448 sat may 30 02:34:19 2020 hpmux240.dll
fr--r--r-- 195208 sat may 30 02:34:19 2020 hppdcompio.dll
fr--r--r-- 160392 sat may 30 02:34:19 2020 HPSecurePrint64.dll
fr--r--r-- 523400 sat may 30 02:34:19 2020 hpspw240.dll
fr--r--r-- 187016 sat may 30 02:34:19 2020 hpsysobj.dll
fr--r--r-- 14088 sat may 30 02:12:43 2020 LOCALE.GPD
fr--r--r-- 73 sat may 30 02:12:43 2020 MSXPSINC.GPD
fr--r--r-- 72 sat may 30 02:12:43 2020 MSXPSINC.PPD
dr--r--r-- 0 wed may 27 08:34:48 2020 mui
fr--r--r-- 901120 mon jun 1 11:03:43 2020 MXDWDRV.DLL
fr--r--r-- 25489 sat may 30 02:12:43 2020 P6DISP.GPD
fr--r--r-- 3293 sat may 30 02:12:43 2020 P6FONT.GPD
fr--r--r-- 289792 sat may 30 02:12:43 2020 PCL4RES.DLL
fr--r--r-- 1035264 sat may 30 02:12:43 2020 PCL5ERES.DLL
fr--r--r-- 1034752 sat may 30 02:12:43 2020 PCL5URES.DLL
fr--r--r-- 211592 sat may 30 02:34:19 2020 pclxl.DLL
fr--r--r-- 10375 sat may 30 02:34:19 2020 pclxl.gpd
fr--r--r-- 1156 sat may 30 02:34:19 2020 pjl.gpd
fr--r--r-- 23040 mon jun 1 11:03:43 2020 PJLMON.DLL
fr--r--r-- 3476992 mon jun 1 11:03:47 2020 PrintConfig.dll
fr--r--r-- 1118720 mon jun 1 11:03:43 2020 PS5UI.DLL
fr--r--r-- 26038 sat may 30 02:12:43 2020 PSCRIPT.HLP
fr--r--r-- 1062732 sat may 30 02:12:43 2020 PSCRIPT.NTF
fr--r--r-- 644608 mon jun 1 11:03:43 2020 PSCRIPT5.DLL
fr--r--r-- 1293180 sat may 30 02:12:43 2020 PSCRPTFE.NTF
fr--r--r-- 5561 sat may 30 02:12:43 2020 PS_SCHM.GDL
fr--r--r-- 23812 sat may 30 02:34:19 2020 stddtype.gdl
fr--r--r-- 14362 sat may 30 02:34:19 2020 stdnames.gpd
fr--r--r-- 59116 sat may 30 02:34:19 2020 stdschem.gdl
fr--r--r-- 2278 sat may 30 02:34:19 2020 stdschmx.gdl
fr--r--r-- 698 sat may 30 02:12:43 2020 TTFSUB.GPD
fr--r--r-- 526984 sat may 30 02:34:19 2020 unidrv.dll
fr--r--r-- 21225 sat may 30 02:34:19 2020 unidrv.hlp
fr--r--r-- 1160840 sat may 30 02:34:19 2020 unidrvui.dll
fr--r--r-- 862344 sat may 30 02:34:19 2020 unires.dll
fr--r--r-- 53 sat may 30 02:12:41 2020 unishare-pipelineconfig.xml
fr--r--r-- 3360 sat may 30 02:12:41 2020 unishare.gpd
.\print$\x64\3\en-US\*
dr--r--r-- 0 wed may 27 08:34:48 2020 .
dr--r--r-- 0 wed may 27 08:34:48 2020 ..
fr--r--r-- 7168 wed may 27 08:34:31 2020 PCL4RES.DLL.mui
fr--r--r-- 18944 wed may 27 08:34:31 2020 PCL5ERES.DLL.mui
fr--r--r-- 18944 wed may 27 08:34:31 2020 PCL5URES.DLL.mui
fr--r--r-- 2560 wed may 27 08:34:31 2020 PCLXL.DLL.mui
fr--r--r-- 26624 wed may 27 08:34:31 2020 PrintConfig.dll.mui
fr--r--r-- 15872 wed may 27 08:34:31 2020 PS5UI.DLL.mui
fr--r--r-- 4608 wed may 27 08:34:31 2020 PSCRIPT5.DLL.mui
fr--r--r-- 12800 wed may 27 08:34:31 2020 UNIDRVUI.DLL.mui
fr--r--r-- 9216 wed may 27 08:34:31 2020 UNIRES.DLL.mui
.\print$\x64\3\mui\*
dr--r--r-- 0 wed may 27 08:34:48 2020 .
dr--r--r-- 0 wed may 27 08:34:48 2020 ..
dr--r--r-- 0 wed may 27 08:34:48 2020 0409
.\print$\x64\3\mui\0409\*
dr--r--r-- 0 wed may 27 08:34:48 2020 .
dr--r--r-- 0 wed may 27 08:34:48 2020 ..
fr--r--r-- 26038 wed may 27 08:34:28 2020 PSCRIPT.HLP
fr--r--r-- 21225 wed may 27 08:34:28 2020 UNIDRV.HLP
.\print$\x64\PCC\*
dr--r--r-- 0 mon jun 1 11:03:47 2020 .
dr--r--r-- 0 mon jun 1 11:03:47 2020 ..
fr--r--r-- 20293530 sat may 30 02:25:54 2020 hpcu240u.inf_amd64_ddac10eb3da45aeb.cab
fr--r--r-- 3834388 mon jun 1 11:03:47 2020 ntprint.inf_amd64_dcef07064d319714.cab
fr--r--r-- 11670 sat may 30 02:12:44 2020 prnms001.inf_amd64_10bd6dee10a7dfd0.cab
fr--r--r-- 1275526 mon jun 1 11:03:47 2020 prnms003.inf_amd64_9f9e8613fb51c32e.cab
fr--r--r-- 12022 sat may 30 02:12:43 2020 prnms009.inf_amd64_bd3f6a64dee1535d.cab
.\print$\x64\{A93D2C7C-3D97-464A-8A68-C4378572B2A8}\*
dr--r--r-- 0 mon jun 1 11:03:48 2020 .
dr--r--r-- 0 mon jun 1 11:03:48 2020 ..
fr--r--r-- 3476992 fri oct 9 17:13:17 2020 PrintConfig.dll
.\print$\x64\{AFE7B823-9022-4115-8EF7-E23779245CB9}\*
dr--r--r-- 0 sat may 30 02:12:42 2020 .
dr--r--r-- 0 sat may 30 02:12:42 2020 ..
fr--r--r-- 3318784 thu jun 11 02:26:24 2020 PrintConfig.dll
SYSVOL READ ONLY Logon server share
.\SYSVOL\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
dr--r--r-- 0 sat may 30 01:29:21 2020 fabricorp.local
.\SYSVOL\fabricorp.local\*
dr--r--r-- 0 sat may 30 01:35:39 2020 .
dr--r--r-- 0 sat may 30 01:35:39 2020 ..
dr--r--r-- 0 thu feb 2 17:32:01 2023 DfsrPrivate
dr--r--r-- 0 sat may 30 01:29:21 2020 Policies
dr--r--r-- 0 sat may 30 01:29:21 2020 scripts
.\SYSVOL\fabricorp.local\Policies\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
dr--r--r-- 0 sat may 30 01:29:21 2020 {31B2F340-016D-11D2-945F-00C04FB984F9}
dr--r--r-- 0 sat may 30 01:29:21 2020 {6AC1786C-016F-11D2-945F-00C04fB984F9}
.\SYSVOL\fabricorp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
fr--r--r-- 22 sat may 30 01:29:21 2020 GPT.INI
dr--r--r-- 0 sat may 30 01:29:21 2020 MACHINE
dr--r--r-- 0 sat may 30 01:29:21 2020 USER
.\SYSVOL\fabricorp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
dr--r--r-- 0 sat may 30 01:29:21 2020 Microsoft
.\SYSVOL\fabricorp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
dr--r--r-- 0 sat may 30 01:29:21 2020 Windows NT
.\SYSVOL\fabricorp.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
fr--r--r-- 22 sat may 30 01:47:55 2020 GPT.INI
dr--r--r-- 0 sat may 30 01:29:21 2020 MACHINE
dr--r--r-- 0 sat may 30 01:29:21 2020 USER
.\SYSVOL\fabricorp.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
dr--r--r-- 0 sat may 30 01:29:21 2020 Microsoft
.\SYSVOL\fabricorp.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\*
dr--r--r-- 0 sat may 30 01:29:21 2020 .
dr--r--r-- 0 sat may 30 01:29:21 2020 ..
dr--r--r-- 0 sat may 30 01:29:21 2020 Windows NTWhile those AD default shares are that much of use, the HP-MFT01 share appears to be the printer itself, considering there is the print$ share with configuration files in it
This is much expected as it was initially revealed in the web server.
There was also spoolsv.exe running in the RPC endpoint