SMB
Nmap discovered a Windows Directory service on the target port 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
starting nmap 7.94 ( https://nmap.org ) at 2023-09-26 14:44 CEST
Nmap scan report for dc.intelligence.htb (10.10.10.248)
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 27.08 secondsAttempting to map the target’s SMB shares failed due to lack of privileges
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ smbclient -L //dc.intelligence.htb/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to dc.intelligence.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableWhile the target SMB server allows anonymous access, lack of privileges doesn’t even allow listing shares I would need a valid domain credential to move forward here
RID Cycling
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ impacket-lookupsid intelligence.htb/blahblah@dc.intelligence.htb 100000
Impacket v0.11.0 - Copyright 2023 Fortra
password:
[*] Brute forcing SIDs at dc.intelligence.htb
[*] stringbinding ncacn_np:dc.intelligence.htb[\pipe\lsarpc]
[-] smb sessionerror: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)performing the rid cycling attack with an arbitrary credential against the target SMB service failed
Tiffany.Molina session
Using the TGT of the tiffany.molina user, I am able to access the SMB server by authenticating to the target KDC
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=tiffany.molina@dc.intelligence.htb.ccache impacket-smbclient intelligence.htb/tiffany.molina@dc.intelligence.htb -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
#
# shares
ADMIN$
C$
IPC$
IT
NETLOGON
SYSVOL
UsersWhile there are 7 SMB shares available, only 2 of them are none default shares;
//dc.intelligence.htb/Users- likely mapped to the
C:\Usersdirectory
- likely mapped to the
//dc.intelligence.htb/IT- likely has to do with the
IT Supportgroup
- likely has to do with the
//dc.intelligence.htb/Users
# use Users
# ls
drw-rw-rw- 0 mon apr 19 03:20:26 2021 .
drw-rw-rw- 0 mon apr 19 03:20:26 2021 ..
drw-rw-rw- 0 mon apr 19 02:18:39 2021 Administrator
drw-rw-rw- 0 mon apr 19 05:16:30 2021 All Users
drw-rw-rw- 0 mon apr 19 04:17:40 2021 Default
drw-rw-rw- 0 mon apr 19 05:16:30 2021 Default User
-rw-rw-rw- 174 mon apr 19 05:15:17 2021 desktop.ini
drw-rw-rw- 0 mon apr 19 02:18:39 2021 Public
drw-rw-rw- 0 mon apr 19 03:20:26 2021 Ted.Graves
drw-rw-rw- 0 mon apr 19 02:51:46 2021 Tiffany.Molinathe //dc.intelligence.htb/users share is indeed mapped to the c:\Users directory
I can see home directories of both tiffany.molina, ted.graves, and administrator users.
This indicates that those users has logged on to the system as the system,by default , generated the home directories for them
# tree .
//desktop.ini
/Default/AppData
/Default/Application Data
/Default/Cookies
/Default/Desktop
/Default/Documents
/Default/Downloads
/Default/Favorites
/Default/Links
/Default/Local Settings
/Default/Music
/Default/My Documents
/Default/NetHood
/Default/NTUSER.DAT
/Default/NTUSER.DAT.LOG1
/Default/NTUSER.DAT.LOG2
/Default/NTUSER.DAT{0d4799bb-b8b5-11e8-ac1a-e41d2d717380}.TM.blf
/Default/NTUSER.DAT{0d4799bb-b8b5-11e8-ac1a-e41d2d717380}.TMContainer00000000000000000001.regtrans-ms
/Default/NTUSER.DAT{0d4799bb-b8b5-11e8-ac1a-e41d2d717380}.TMContainer00000000000000000002.regtrans-ms
/Default/NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TM.blf
/Default/NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms
/Default/NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms
/Default/Pictures
/Default/Recent
/Default/Saved Games
/Default/SendTo
/Default/Start Menu
/Default/Templates
/Default/Videos
/Tiffany.Molina/AppData
/Tiffany.Molina/Application Data
/Tiffany.Molina/Cookies
/Tiffany.Molina/Desktop
/Tiffany.Molina/Documents
/Tiffany.Molina/Downloads
/Tiffany.Molina/Favorites
/Tiffany.Molina/Links
/Tiffany.Molina/Local Settings
/Tiffany.Molina/Music
/Tiffany.Molina/My Documents
/Tiffany.Molina/NetHood
/Tiffany.Molina/NTUSER.DAT
/Tiffany.Molina/ntuser.dat.LOG1
/Tiffany.Molina/ntuser.dat.LOG2
/Tiffany.Molina/NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TM.blf
/Tiffany.Molina/NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms
/Tiffany.Molina/NTUSER.DAT{6392777f-a0b5-11eb-ae6e-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms
/Tiffany.Molina/ntuser.ini
/Tiffany.Molina/Pictures
/Tiffany.Molina/Recent
/Tiffany.Molina/Saved Games
/Tiffany.Molina/SendTo
/Tiffany.Molina/Start Menu
/Tiffany.Molina/Templates
/Tiffany.Molina/Videos
/Default/AppData/Local
/Default/AppData/Roaming
/Default/Documents/My Music
/Default/Documents/My Pictures
/Default/Documents/My Videos
/Tiffany.Molina/AppData/Local
/Tiffany.Molina/AppData/LocalLow
/Tiffany.Molina/AppData/Roaming
/Tiffany.Molina/Desktop/user.txt
/Tiffany.Molina/Documents/My Music
/Tiffany.Molina/Documents/My Pictures
/Tiffany.Molina/Documents/My Videos
/Default/AppData/Local/Application Data
/Default/AppData/Local/History
/Default/AppData/Local/Microsoft
/Default/AppData/Local/Temp
/Default/AppData/Local/Temporary Internet Files
/Default/AppData/Roaming/Microsoft
/Tiffany.Molina/AppData/Local/Application Data
/Tiffany.Molina/AppData/Local/History
/Tiffany.Molina/AppData/Local/Microsoft
/Tiffany.Molina/AppData/Local/Temp
/Tiffany.Molina/AppData/Local/Temporary Internet Files
/Tiffany.Molina/AppData/Roaming/Microsoft
/Default/AppData/Local/Microsoft/Windows
/Default/AppData/Local/Microsoft/WindowsApps
/Default/AppData/Roaming/Microsoft/Internet Explorer
/Default/AppData/Roaming/Microsoft/Windows
/Tiffany.Molina/AppData/Local/Microsoft/Windows
/Tiffany.Molina/AppData/Local/Microsoft/WindowsApps
/Tiffany.Molina/AppData/Roaming/Microsoft/Internet Explorer
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows
/Default/AppData/Local/Microsoft/Windows/GameExplorer
/Default/AppData/Local/Microsoft/Windows/History
/Default/AppData/Local/Microsoft/Windows/INetCache
/Default/AppData/Local/Microsoft/Windows/INetCookies
/Default/AppData/Local/Microsoft/Windows/Temporary Internet Files
/Default/AppData/Local/Microsoft/Windows/WinX
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch
/Default/AppData/Roaming/Microsoft/Windows/Network Shortcuts
/Default/AppData/Roaming/Microsoft/Windows/Recent
/Default/AppData/Roaming/Microsoft/Windows/SendTo
/Default/AppData/Roaming/Microsoft/Windows/Start Menu
/Default/AppData/Roaming/Microsoft/Windows/Templates
/Tiffany.Molina/AppData/Local/Microsoft/Windows/GameExplorer
/Tiffany.Molina/AppData/Local/Microsoft/Windows/History
/Tiffany.Molina/AppData/Local/Microsoft/Windows/INetCache
/Tiffany.Molina/AppData/Local/Microsoft/Windows/INetCookies
/Tiffany.Molina/AppData/Local/Microsoft/Windows/Temporary Internet Files
/Tiffany.Molina/AppData/Local/Microsoft/Windows/UsrClass.dat
/Tiffany.Molina/AppData/Local/Microsoft/Windows/UsrClass.dat.LOG1
/Tiffany.Molina/AppData/Local/Microsoft/Windows/UsrClass.dat.LOG2
/Tiffany.Molina/AppData/Local/Microsoft/Windows/UsrClass.dat{21166fb4-a0a8-11eb-ae74-000c2908ad93}.TM.blf
/Tiffany.Molina/AppData/Local/Microsoft/Windows/UsrClass.dat{21166fb4-a0a8-11eb-ae74-000c2908ad93}.TMContainer00000000000000000001.regtrans-ms
/Tiffany.Molina/AppData/Local/Microsoft/Windows/UsrClass.dat{21166fb4-a0a8-11eb-ae74-000c2908ad93}.TMContainer00000000000000000002.regtrans-ms
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX
/Tiffany.Molina/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Network Shortcuts
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Recent
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/SendTo
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Templates
/Default/AppData/Local/Microsoft/Windows/WinX/Group1
/Default/AppData/Local/Microsoft/Windows/WinX/Group2
/Default/AppData/Local/Microsoft/Windows/WinX/Group3
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/desktop.ini
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Shows Desktop.lnk
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Window Switcher.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group1
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group2
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3
/Tiffany.Molina/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/desktop.ini
/Tiffany.Molina/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Shows Desktop.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Window Switcher.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs
/Default/AppData/Local/Microsoft/Windows/WinX/Group1/1 - Desktop.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group1/desktop.ini
/Default/AppData/Local/Microsoft/Windows/WinX/Group2/1 - Run.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group2/2 - Search.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group2/3 - Windows Explorer.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group2/4 - Control Panel.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group2/5 - Task Manager.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group2/desktop.ini
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/01 - Command Prompt.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/01a - Windows PowerShell.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/02 - Command Prompt.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/02a - Windows PowerShell.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/03 - Computer Management.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/04 - Disk Management.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/04-1 - NetworkStatus.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/05 - Device Manager.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/06 - SystemAbout.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/07 - Event Viewer.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/08 - PowerAndSleep.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/09 - Mobility Center.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/10 - AppsAndFeatures.lnk
/Default/AppData/Local/Microsoft/Windows/WinX/Group3/desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Windows PowerShell
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group1/1 - Desktop.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group1/desktop.ini
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group2/1 - Run.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group2/2 - Search.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group2/3 - Windows Explorer.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group2/4 - Control Panel.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group2/5 - Task Manager.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group2/desktop.ini
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/01 - Command Prompt.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/01a - Windows PowerShell.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/02 - Command Prompt.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/02a - Windows PowerShell.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/03 - Computer Management.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/04 - Disk Management.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/04-1 - NetworkStatus.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/05 - Device Manager.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/06 - SystemAbout.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/07 - Event Viewer.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/08 - PowerAndSleep.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/09 - Mobility Center.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/10 - AppsAndFeatures.lnk
/Tiffany.Molina/AppData/Local/Microsoft/Windows/WinX/Group3/desktop.ini
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Windows PowerShell
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Notepad.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/Command Prompt.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/computer.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/Control Panel.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/File Explorer.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/Run.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Windows PowerShell/Windows PowerShell (x86).lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Windows PowerShell/Windows PowerShell.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/desktop.ini
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Notepad.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/Command Prompt.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/computer.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/Control Panel.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/desktop.ini
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/File Explorer.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/System Tools/Run.lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Windows PowerShell/Windows PowerShell (x86).lnk
/Tiffany.Molina/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Windows PowerShell/Windows PowerShell.lnk
Finished - 207 files and foldersWhile I am only able to access the home directory of the tiffany.molina user, there is not much in it
//dc.intelligence.htb/IT
# use IT
# ls
drw-rw-rw- 0 Mon Apr 19 02:50:58 2021 .
drw-rw-rw- 0 Mon Apr 19 02:50:58 2021 ..
-rw-rw-rw- 1046 Mon Apr 19 02:50:58 2021 downdetector.ps1
# get downdetector.ps1The //dc.intelligence.htb/IT share contains a PowerShell script; downdetector.ps1
I will download to Kali for further review