SMB
Nmap discovered a Samba service on the port 139 and 445
The running service is Samba smbd 4.6.2
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ smbmap -H $IP -u ' ' -p ' '
[+] Guest session IP: 10.10.11.225:445 Name: 10.10.11.225
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
shares READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.13.13-Debian)It appears there is a share that I have read access to; shares
┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ smbmap -H $IP -u ' ' -p ' ' -R shares
[+] Guest session IP: 10.10.11.225:445 Name: 10.10.11.225
Disk Permissions Comment
---- ----------- -------
shares READ ONLY
.\shares\*
dr--r--r-- 0 Fri Oct 28 21:32:08 2022 .
dr--r--r-- 0 Fri Apr 28 13:59:34 2023 ..
dr--r--r-- 0 Thu Apr 27 14:49:32 2023 .backup
.\shares\.backup\*
dr--r--r-- 0 Thu Apr 27 14:49:32 2023 .
dr--r--r-- 0 Fri Oct 28 21:32:08 2022 ..
fr--r--r-- 1101 Thu Apr 27 14:49:32 2023 mailThe shares SMB share contains a directory, .backup, that has a file; mail
┌──(kali㉿kali)-[~/…/htb/labs/gofer/smb]
└─$ smbget smb://$IP/shares -e -R
password for [kali] connecting to //10.10.11.225/shares:
Using workgroup WORKGROUP, user kali
Encryption required and setup failed with error NT_STATUS_INVALID_PARAMETER_MIX.
smb://10.10.11.225/shares/.backup/mail
Downloaded 1.08kB in 3 secondsI will download the mail file to Kali
┌──(kali㉿kali)-[~/…/labs/gofer/smb/.backup]
└─$ cat mail
from jdavis@gofer.htb fri oct 28 20:29:30 2022
return-path: <jdavis@gofer.htb>
x-original-to: tbuckley@gofer.htb
delivered-to: tbuckley@gofer.htb
received: from gofer.htb (localhost [127.0.0.1])
by gofer.htb (Postfix) with SMTP id C8F7461827
for <tbuckley@gofer.htb>; fri, 28 oct 2022 20:28:43 +0100 (BST)
subject:Important to read!
message-id: <20221028192857.C8F7461827@gofer.htb>
date: Fri, 28 Oct 2022 20:28:43 +0100 (BST)
from: jdavis@gofer.htb
Hello guys,
Our dear Jocelyn received another phishing attempt last week and his habit of clicking on links without paying much attention may be problematic one day. That's why from now on, I've decided that important documents will only be sent internally, by mail, which should greatly limit the risks. If possible, use an .odt format, as documents saved in Office Word are not always well interpreted by Libreoffice.
ps: Last thing for Tom; I know you're working on our web proxy but if you could restrict access, it will be more secure until you have finished it. It seems to me that it should be possible to do so via <Limit>The mail notes a few points;
- Important documents are only sent internally due to recent phishing attack
- documents are advised to be saved in .odt format
- A mention of web proxy with suggestion to use
<Limit>for security<limit>here is likely referring to configuration directive or block used in web server settings, specifically in the context of apache http server
- Domain;
gofer.htb - usernames;
jdavis,tbuckley - names;
Jocelynandtom
I will first update the /etc/hosts file on Kali to reflect the target
enum4linux
┌──(kali㉿kali)-[~/…/labs/gofer/smb/.backup]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jul 31 16:34:45 2023
=========================================( Target Information )=========================================
Target ........... 10.10.11.225
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.11.225 )============================
[+] Got domain/workgroup name: WORKGROUP
================================( Nbtstat Information for 10.10.11.225 )================================
Looking up status of 10.10.11.225
GOFER <00> - B <ACTIVE> Workstation Service
GOFER <03> - B <ACTIVE> Messenger Service
GOFER <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
===================================( Session Check on 10.10.11.225 )===================================
[+] Server 10.10.11.225 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.11.225 )================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
===================================( OS information on 10.10.11.225 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.11.225 from srvinfo:
GOFER Wk Sv PrQ Unx NT SNT Samba 4.13.13-Debian
platform_id : 500
os version : 6.1
server type : 0x809a03
=======================================( Users on 10.10.11.225 )=======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
=================================( Share Enumeration on 10.10.11.225 )=================================
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
shares Disk
IPC$ IPC IPC Service (Samba 4.13.13-Debian)
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.11.225
//10.10.11.225/print$ Mapping: DENIED Listing: N/A Writing: N/A
testing write access shares
//10.10.11.225/shares Mapping: OK Listing: OK Writing: DENIED
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.11.225/IPC$ Mapping: N/A Listing: N/A Writing: N/A
============================( Password Policy Information for 10.10.11.225 )============================
[+] Attaching to 10.10.11.225 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] GOFER
[+] Builtin
[+] Password Info for Domain: GOFER
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=======================================( Groups on 10.10.11.225 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.11.225 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-510552225-995404492-4015181936 and logon username '', password ''
S-1-5-21-510552225-995404492-4015181936-501 GOFER\nobody (Local User)
S-1-5-21-510552225-995404492-4015181936-513 GOFER\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\jhudson (Local User)
S-1-22-1-1001 Unix User\jdavis (Local User)
S-1-22-1-1002 Unix User\tbuckley (Local User)
S-1-22-1-1003 Unix User\ablake (Local User)
===============================( Getting printer info for 10.10.11.225 )===============================
No printers returned.
enum4linux complete on Mon Jul 31 16:41:12 2023enum4linux confirmed the system users and found 2 additional users; jhudson and ablake
┌──(kali㉿kali)-[~/archive/htb/labs/gofer]
└─$ cat users
jhudson
jdavis
tbuckley
ablakeThose usernames have been saved to a file.
It’s also important to note that the target organization appears to follow a naming convention of the first letter of firstname followed by lastname.