SMB
Nmap revealed the SMB service running on the target system
Anonymous SMB Session
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbmap -H $IP -u ' ' -p ' '
[+] Guest session IP: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ NO ACCESS
Users READ ONLY smbmap shows that the anonymous login to the target SMB server is allowed.
There are a total of 6 shares.
3 of which are not part of the default installation;
Data, Secure$ and Users Anonymous-login user can read only the DataandUsers` shares
AnonymousData SMB Share
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbclient \\\\$IP\\Data
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. d 0 thu aug 8 00:53:46 2019
.. d 0 thu aug 8 00:53:46 2019
it d 0 thu aug 8 00:58:07 2019
production d 0 mon aug 5 23:53:38 2019
reports d 0 mon aug 5 23:53:44 2019
shared d 0 wed aug 7 21:07:51 2019
5242623 blocks of size 4096. 1840139 blocks available
smb: \> cd Shared
smb: \Shared\> ls
. d 0 wed aug 7 21:07:51 2019
.. d 0 wed aug 7 21:07:51 2019
maintenance d 0 wed aug 7 21:07:32 2019
templates d 0 wed aug 7 21:08:07 2019
5242623 blocks of size 4096. 1840267 blocks available
smb: \Shared\> cd Maintenance
smb: \Shared\Maintenance\> ls
. d 0 wed aug 7 21:07:32 2019
.. d 0 wed aug 7 21:07:32 2019
maintenance alerts.txt a 48 tue aug 6 01:01:44 2019
5242623 blocks of size 4096. 1840267 blocks available
smb: \Shared\Maintenance\> get "Maintenance Alerts.txt"
getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \Shared\Maintenance\> cd ../Templates
smb: \Shared\Templates\> ls
. d 0 wed aug 7 21:08:07 2019
.. d 0 wed aug 7 21:08:07 2019
hr d 0 wed aug 7 21:08:01 2019
marketing d 0 wed aug 7 21:08:06 2019
5242623 blocks of size 4096. 1840267 blocks available
smb: \Shared\Templates\> cd HR
smb: \Shared\Templates\HR\> ls
. d 0 wed aug 7 21:08:01 2019
.. d 0 wed aug 7 21:08:01 2019
welcome email.txt a 425 thu aug 8 00:55:36 2019
5242623 blocks of size 4096. 1840267 blocks available
smb: \Shared\Templates\HR\> get "Welcome Email.txt"
getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (3.6 KiloBytes/sec) (average 1.9 KiloBytes/sec)I downloaded 2 files that I was able to access to
\Shared\Maintenance\Maintenance Alerts.txt\Shared\Templates\HR\Welcome Email.txt
The rest were either that I don’t have access to or they were empty directories
Anonymous Users SMB Share
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbclient //$IP/Users
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. d 0 sun jan 26 00:04:21 2020
.. d 0 sun jan 26 00:04:21 2020
administrator d 0 fri aug 9 17:08:23 2019
c.smith d 0 sun jan 26 08:21:44 2020
l.frost d 0 thu aug 8 19:03:01 2019
r.thompson d 0 thu aug 8 19:02:50 2019
tempuser d 0 thu aug 8 00:55:56 2019
5242623 blocks of size 4096. 1840139 blocks availableusers share appears to be the windows users directory; c:\Users
I don’t have access to any of those users directories for now
Welcome Email.txt
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ cat Maintenance\ Alerts.txt
There is currently no scheduled maintenance work
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ cat Welcome\ Email.txt
We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
you will find your home folder in the following location:
\\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the
IT department and use the credentials below until all systems have been set up for you.
username: TempUser
password: welcome2019
Thank you
HR
Maintenance Alerts.txt appears to be just a note. It doesn’t reveal anything
Welcome Email.txt appears to be a template for new user. It also contains a credential.
tempuser:welcome2019
tempUser SMB session
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbmap -H $IP -u tempUser -p welcome2019
[+] ip: 10.10.10.178:445 Name: HTB-NEST
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Data READ ONLY
IPC$ NO ACCESS Remote IPC
Secure$ READ ONLY
Users READ ONLY
The tempUser is able to additionally access and read the Secure$ SMB share
tempUser Users SMB Share
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbclient //HTB-NEST/Users -U tempuser%welcome2019
Try "help" to get a list of possible commands.
smb: \> cd TempUser
smb: \TempUser\> ls
. D 0 Thu Aug 8 00:55:56 2019
.. D 0 Thu Aug 8 00:55:56 2019
New Text Document.txt A 0 Thu Aug 8 00:55:56 2019
5242623 blocks of size 4096. 1840001 blocks availableThe tempUser was able to access TempUser directory on the Users share
The directory contained an empty
tempUser Secure$ SMB Share
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbclient //HTB-NEST/Secure$ -U tempuser%welcome2019
Try "help" to get a list of possible commands.
smb: \> ls
. d 0 thu aug 8 01:08:12 2019
.. d 0 thu aug 8 01:08:12 2019
finance d 0 wed aug 7 21:40:13 2019
hr d 0 thu aug 8 01:08:11 2019
it d 0 thu aug 8 12:59:25 2019
5242623 blocks of size 4096. 1840001 blocks available
smb: \> dir Finance\
NT_STATUS_ACCESS_DENIED listing \Finance\
smb: \> dir HR\
NT_STATUS_ACCESS_DENIED listing \HR\
smb: \> dir IT\
NT_STATUS_ACCESS_DENIED listing \IT\*The tempUser was able to access the Secure$ share and indexing it reveals 3 sub-directories representing departments
But the tempUser user had no further access
tempUser Data SMB Share
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbclient //HTB-NEST/Data -U tempuser%welcome2019
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Aug 8 00:53:46 2019
.. D 0 Thu Aug 8 00:53:46 2019
IT D 0 Thu Aug 8 00:58:07 2019
Production D 0 Mon Aug 5 23:53:38 2019
Reports D 0 Mon Aug 5 23:53:44 2019
Shared D 0 Wed Aug 7 21:07:51 2019
5242623 blocks of size 4096. 1840001 blocks available
smb: \IT\Installs\> cd Configs
smb: \IT\Configs\> ls
. D 0 Thu Aug 8 00:59:34 2019
.. D 0 Thu Aug 8 00:59:34 2019
Adobe D 0 Wed Aug 7 21:20:09 2019
Atlas D 0 Tue Aug 6 13:16:18 2019
DLink D 0 Tue Aug 6 15:25:27 2019
Microsoft D 0 Wed Aug 7 21:23:26 2019
NotepadPlusPlus D 0 Wed Aug 7 21:31:37 2019
RU Scanner D 0 Wed Aug 7 22:01:13 2019
Server Manager D 0 Tue Aug 6 15:25:19 2019
5242623 blocks of size 4096. 1839873 blocks available
smb: \IT\Configs\Adobe\> ls
. D 0 Wed Aug 7 21:20:09 2019
.. D 0 Wed Aug 7 21:20:09 2019
editing.xml AH 246 Sat Aug 3 14:58:42 2019
Options.txt A 0 Mon Oct 10 23:11:14 2011
projects.xml A 258 Tue Jan 8 17:30:52 2013
settings.xml A 1274 Wed Aug 7 21:19:12 2019
5242623 blocks of size 4096. 1840001 blocks available
smb: \IT\Configs\Adobe\> get editing.xml
getting file \IT\Configs\Adobe\editing.xml of size 246 as editing.xml (2.0 KiloBytes/sec) (average 7.9 KiloBytes/sec)
smb: \IT\Configs\Adobe\> get Options.txt
getting file \IT\Configs\Adobe\Options.txt of size 0 as Options.txt (0.0 KiloBytes/sec) (average 6.7 KiloBytes/sec)
smb: \IT\Configs\Adobe\> get projects.xml
getting file \IT\Configs\Adobe\projects.xml of size 258 as projects.xml (2.2 KiloBytes/sec) (average 6.0 KiloBytes/sec)
smb: \IT\Configs\Adobe\> get settings.xml
getting file \IT\Configs\Adobe\settings.xml of size 1274 as settings.xml (10.6 KiloBytes/sec) (average 6.6 KiloBytes/sec)
smb: \IT\Configs\adobe\> cd ../Atlas
smb: \IT\Configs\Atlas\> ls
. D 0 Tue Aug 6 13:16:18 2019
.. D 0 Tue Aug 6 13:16:18 2019
Temp.XML An 1369 Wed Jun 11 09:38:22 2003
5242623 blocks of size 4096. 1840001 blocks available
smb: \IT\Configs\Atlas\> get Temp.XML
getting file \IT\Configs\Atlas\Temp.XML of size 1369 as Temp.XML (10.8 KiloBytes/sec) (average 7.2 KiloBytes/sec)
smb: \IT\Configs\Microsoft\> cd ../Microsoft
smb: \IT\Configs\Microsoft\> ls
. D 0 Wed Aug 7 21:23:26 2019
.. D 0 Wed Aug 7 21:23:26 2019
Options.xml A 4598 Sat Mar 3 20:24:24 2012
5242623 blocks of size 4096. 1840001 blocks available
smb: \IT\Configs\Microsoft\> get Options.xml
getting file \IT\Configs\Microsoft\Options.xml of size 4598 as Options.xml (35.9 KiloBytes/sec) (average 10.5 KiloBytes/sec)
smb: \IT\Configs\NotepadPlusPlus\> cd ../"RU Scanner"
smb: \IT\Configs\RU Scanner\> ls
. D 0 Wed Aug 7 22:01:13 2019
.. D 0 Wed Aug 7 22:01:13 2019
RU_config.xml A 270 Thu Aug 8 21:49:37 2019
5242623 blocks of size 4096. 1840001 blocks available
smb: \IT\Configs\RU Scanner\> get RU_config.xml
getting file \IT\Configs\RU Scanner\RU_config.xml of size 270 as RU_config.xml (2.3 KiloBytes/sec) (average 14.0 KiloBytes/sec)The tempUser was able enumerate and download a few files at Data/IT/Configs
Temp.XML
┌──(kali㉿kali)-[~/…/labs/nest/tempuser/]
└─$ cat IT.Configs.Atlas/Temp.XML <?xml version="1.0" encoding="UTF-8"?>
<bs:Brainstorm xmlns:bs="http://schemas.microsoft.com/visio/2003/brainstorming"><bs:topic bs:TopicID="T1"><bs:text>Marketing Plan</bs:text><bs:topic bs:TopicID="T1.1"><bs:text>Product</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Deanna Meyer</bs:value></bs:prop><bs:topic bs:TopicID="T1.1.1"><bs:text>New features</bs:text></bs:topic><bs:topic bs:TopicID="T1.1.2"><bs:text>Competitive strengths</bs:text></bs:topic><bs:topic bs:TopicID="T1.1.3"><bs:text>Competitive weaknesses</bs:text></bs:topic></bs:topic><bs:topic bs:TopicID="T1.2"><bs:text>Placement</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Jolie Lenehan</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID="T1.3"><bs:text>Price</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O'Hara</bs:value></bs:prop></bs:topic><bs:topic bs:TopicID="T1.4"><bs:text>Promotion</bs:text><bs:prop><bs:id>1</bs:id><bs:label>Assigned to</bs:label><bs:value>Robert O'Hara</bs:value></bs:prop><bs:topic bs:TopicID="T1.4.1"><bs:text>Advertising</bs:text></bs:topic><bs:topic bs:TopicID="T1.4.2"><bs:text>Mailings</bs:text></bs:topic><bs:topic bs:TopicID="T1.4.3"><bs:text>Trade shows</bs:text></bs:topic></bs:topic></bs:topic><bs:association bs:topic1="T1.4" bs:topic2="T1.3"/></bs:Brainstorm>temp.xml file that was located at the \it\configs\atlas directory on the data smb share contained 3 usernames:
Deanna MeyerJolie LenehanRebert O'Hara
Options.xml
This is Option.xml file that was located at the \IT\Configs\Microsoft directory on the Data SMB share
It shows some Microsoft Virtual Machine Options and Settings
Nothin of value here.
config.xml
┌──(kali㉿kali)-[~/…/htb/labs/nest/tempuser]
└─$ cat IT.Configs.NotepadPlusPlus/config.xml <?xml version="1.0" encoding="Windows-1252" ?>
<NotepadPlus>
<GUIConfigs>
[...]
</GUIConfigs>
[...]
<History nbMaxFile="15" inSubMenu="no" customLength="-1">
<file filename="c:\windows\System32\drivers\etc\hosts" />
<File filename="\\HTB-NEST\Secure$\IT\Carl\Temp.txt" />
<file filename="c:\Users\C.Smith\Desktop\todo.txt" />
</History>
</NotepadPlus>
\\HTB-NEST\Secure$\IT\Carl\Temp.txt revealed a few interesting files with some indications;
c:\windows\System32\drivers\etc\hosts\\htb-nest\secure$\it\carl\temp.txt: There is a username,Carlc:\Users\C.Smith\Desktop\todo.txt: TheC.Smithuser has atodo. txtfile at his Desktop directory
This is very interesting because the Carl user was never listed on the Users SMB share
RU_config.xml
┌──(kali㉿kali)-[~/…/htb/labs/nest/tempuser]
└─$ cat IT.Configs.RU\ Scanner/RU_config.xml <?xml version="1.0"?>
<ConfigFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>389</Port>
<Username>c.smith</Username>
<Password>fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=</Password>
</ConfigFile> The RU_config.xml file that was located \IT\Configs\RU Scanner directory on the Data SMB share contains a credential
It’s the c.smith user with his password which appears to be encoded in base64
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ echo "fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE=" | base64 -d
}13 =X J BA X* Wc f ?βc
Password initially appeared to be encoded in base64, but it decoded out none ASCII, It’s something else.
BettertempUser SMB session
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbmap -H $IP -u tempuser -p welcome2019 -R Data
[+] ip: 10.10.10.178:445 Name: HTB-NEST
Disk Permissions Comment
---- ----------- -------
Data READ ONLY
.\Data\*
dr--r--r-- 0 thu aug 8 00:53:46 2019 .
dr--r--r-- 0 thu aug 8 00:53:46 2019 ..
dr--r--r-- 0 thu aug 8 00:58:07 2019 IT
dr--r--r-- 0 mon aug 5 23:53:41 2019 Production
dr--r--r-- 0 mon aug 5 23:53:50 2019 Reports
dr--r--r-- 0 wed aug 7 21:07:51 2019 Shared
.\Data\IT\*
dr--r--r-- 0 thu aug 8 00:58:07 2019 .
dr--r--r-- 0 thu aug 8 00:58:07 2019 ..
dr--r--r-- 0 thu aug 8 00:58:07 2019 Archive
dr--r--r-- 0 thu aug 8 00:59:34 2019 Configs
dr--r--r-- 0 thu aug 8 00:08:30 2019 Installs
dr--r--r-- 0 wed jul 21 20:47:16 2021 Reports
dr--r--r-- 0 tue aug 6 00:33:51 2019 Tools
.\Data\IT\Configs\*
dr--r--r-- 0 thu aug 8 00:59:34 2019 .
dr--r--r-- 0 thu aug 8 00:59:34 2019 ..
dr--r--r-- 0 wed jul 21 20:47:13 2021 Adobe
dr--r--r-- 0 wed jul 21 20:47:04 2021 Atlas
dr--r--r-- 0 tue aug 6 15:27:08 2019 DLink
dr--r--r-- 0 wed aug 7 21:23:26 2019 Microsoft
dr--r--r-- 0 wed jul 21 20:47:13 2021 NotepadPlusPlus
dr--r--r-- 0 wed jul 21 20:47:05 2021 RU Scanner
dr--r--r-- 0 tue aug 6 15:27:09 2019 Server Manager
.\Data\IT\Configs\Adobe\*
dr--r--r-- 0 wed jul 21 20:47:13 2021 .
dr--r--r-- 0 wed jul 21 20:47:13 2021 ..
fr--r--r-- 246 wed jul 21 20:47:12 2021 editing.xml
fr--r--r-- 0 wed aug 7 21:20:09 2019 Options.txt
fr--r--r-- 258 wed aug 7 21:20:09 2019 projects.xml
fr--r--r-- 1274 wed aug 7 21:20:09 2019 settings.xml
.\Data\IT\Configs\Atlas\*
dr--r--r-- 0 wed jul 21 20:47:04 2021 .
dr--r--r-- 0 wed jul 21 20:47:04 2021 ..
fr--r--r-- 1369 wed jul 21 20:47:04 2021 Temp.XML
.\Data\IT\Configs\Microsoft\*
dr--r--r-- 0 wed aug 7 21:23:26 2019 .
dr--r--r-- 0 wed aug 7 21:23:26 2019 ..
fr--r--r-- 4598 wed aug 7 21:23:26 2019 Options.xml
.\Data\IT\Configs\NotepadPlusPlus\*
dr--r--r-- 0 wed jul 21 20:47:13 2021 .
dr--r--r-- 0 wed jul 21 20:47:13 2021 ..
fr--r--r-- 6451 wed jul 21 20:47:13 2021 config.xml
fr--r--r-- 2108 wed jul 21 20:47:15 2021 shortcuts.xml
.\Data\IT\Configs\RU Scanner\*
dr--r--r-- 0 wed jul 21 20:47:05 2021 .
dr--r--r-- 0 wed jul 21 20:47:05 2021 ..
fr--r--r-- 270 wed jul 21 20:47:14 2021 RU_config.xml
.\Data\Shared\*
dr--r--r-- 0 wed aug 7 21:07:51 2019 .
dr--r--r-- 0 wed aug 7 21:07:51 2019 ..
dr--r--r-- 0 wed jul 21 20:47:12 2021 Maintenance
dr--r--r-- 0 wed jul 21 20:47:12 2021 Templates
.\Data\Shared\Maintenance\*
dr--r--r-- 0 wed jul 21 20:47:12 2021 .
dr--r--r-- 0 wed jul 21 20:47:12 2021 ..
fr--r--r-- 48 wed jul 21 20:47:05 2021 Maintenance Alerts.txt
.\Data\Shared\Templates\*
dr--r--r-- 0 wed jul 21 20:47:12 2021 .
dr--r--r-- 0 wed jul 21 20:47:12 2021 ..
dr--r--r-- 0 wed jul 21 20:47:12 2021 HR
dr--r--r-- 0 wed aug 7 21:08:07 2019 Marketing
.\Data\Shared\Templates\HR\*
dr--r--r-- 0 wed jul 21 20:47:12 2021 .
dr--r--r-- 0 wed jul 21 20:47:12 2021 ..
fr--r--r-- 425 wed jul 21 20:47:12 2021 Welcome Email.txtsmbmap can recursively list everything
-r: for recursion--download: for downloading
\\$IP\Secure$\IT
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbmap -H $IP -u tempuser -p welcome2019 -R 'Secure$/IT'
[+] ip: 10.10.10.178:445 Name: 10.10.10.178
[!] something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 881
Disk Permissions Comment
---- ----------- -------
Secure$ READ ONLY As found out earlier, I cannot access any of directories under the Secure$ SMB share astempUser
\\$IP\Secure$\IT\Carl
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbmap -H $IP -u tempuser -p welcome2019 -R 'Secure$/IT/Carl/'
[+] ip: 10.10.10.178:445 Name: HTB-NEST
Disk Permissions Comment
---- ----------- -------
Secure$ READ ONLY
.\Secure$IT\Carl\*
dr--r--r-- 0 wed jul 21 20:47:13 2021 .
dr--r--r-- 0 wed jul 21 20:47:13 2021 ..
dr--r--r-- 0 wed jul 21 20:47:13 2021 Docs
dr--r--r-- 0 tue aug 6 15:45:47 2019 Reports
dr--r--r-- 0 tue aug 6 16:41:55 2019 VB Projects
.\Secure$IT\Carl\Docs\*
dr--r--r-- 0 wed jul 21 20:47:13 2021 .
dr--r--r-- 0 wed jul 21 20:47:13 2021 ..
fr--r--r-- 56 wed jul 21 20:47:13 2021 ip.txt
fr--r--r-- 73 wed jul 21 20:47:13 2021 mmc.txt
.\Secure$IT\Carl\VB Projects\*
dr--r--r-- 0 tue aug 6 16:41:55 2019 .
dr--r--r-- 0 tue aug 6 16:41:55 2019 ..
dr--r--r-- 0 tue aug 6 16:41:53 2019 Production
dr--r--r-- 0 tue aug 6 16:47:41 2019 WIP
.\Secure$IT\Carl\VB Projects\WIP\*
dr--r--r-- 0 tue aug 6 16:47:41 2019 .
dr--r--r-- 0 tue aug 6 16:47:41 2019 ..
dr--r--r-- 0 wed jul 21 20:47:17 2021 RU
.\Secure$IT\Carl\VB Projects\WIP\RU\*
dr--r--r-- 0 wed jul 21 20:47:17 2021 .
dr--r--r-- 0 wed jul 21 20:47:17 2021 ..
dr--r--r-- 0 wed jul 21 20:47:14 2021 RUScanner
fr--r--r-- 871 wed jul 21 20:47:17 2021 RUScanner.sln
.\Secure$IT\Carl\VB Projects\WIP\RU\RUScanner\*
dr--r--r-- 0 wed jul 21 20:47:14 2021 .
dr--r--r-- 0 wed jul 21 20:47:14 2021 ..
dr--r--r-- 0 wed aug 7 22:00:11 2019 bin
fr--r--r-- 772 wed jul 21 20:47:15 2021 ConfigFile.vb
fr--r--r-- 279 wed jul 21 20:47:15 2021 Module1.vb
dr--r--r-- 0 wed aug 7 22:00:11 2019 My Project
dr--r--r-- 0 wed aug 7 22:00:11 2019 obj
fr--r--r-- 4828 wed jul 21 20:47:14 2021 RU Scanner.vbproj
fr--r--r-- 143 wed jul 21 20:47:13 2021 RU Scanner.vbproj.user
fr--r--r-- 133 wed jul 21 20:47:14 2021 SsoIntegration.vb
fr--r--r-- 4888 wed jul 21 20:47:15 2021 Utils.vbbut not the \\$IP\Secure$\IT\Carl\ apparently..
There must have been some misconfiguration
\\HTB-NEST\Secure$\IT\Carl\Docs\ip.txt
Networking commands?
\\HTB-NEST\Secure$\IT\Carl\Docs\mmc.txt
Microsoft Management Tools
This directory appears to be the one that contains the program, “RU Scanner”, with its source code
Mounting SMB share
Since there are so many files and directories to work with, I will just mount the SMB share to Kali for convenience
┌──(kali㉿kali)-[~/…/htb/labs/nest/tempuser]
└─$ mkdir /mnt/tmpFirst, I created a temporary directory as a mounting point, /mnt/tmp/
┌──(kali㉿kali)-[~/…/htb/labs/nest/tempuser]
└─$ sudo mount -t cifs '\\10.10.10.178\Secure$\IT\Carl\' /mnt/tmp -o username=tempuser,password=welcome2019
I then went ahead and mounted the CIFS(SMB) share \\10.10.10.178\Secure$\IT\Carl\ to /mnt/tmp on Kali
The -o flag was to provide the option for authentication; username=tempuser,password=welcome2019
┌──(kali㉿kali)-[/mnt]
└─$ tree tmp
tmp
├── Docs
│ ├── ip.txt
│ └── mmc.txt
├── Reports
└── VB Projects
├── Production
└── WIP
└── RU
├── RUScanner
│ ├── bin
│ │ ├── Debug
│ │ └── Release
│ ├── ConfigFile.vb
│ ├── Module1.vb
│ ├── My Project
│ │ ├── Application.Designer.vb
│ │ ├── Application.myapp
│ │ ├── AssemblyInfo.vb
│ │ ├── Resources.Designer.vb
│ │ ├── Resources.resx
│ │ ├── Settings.Designer.vb
│ │ └── Settings.settings
│ ├── obj
│ │ └── x86
│ ├── RU Scanner.vbproj
│ ├── RU Scanner.vbproj.user
│ ├── SsoIntegration.vb
│ └── Utils.vb
└── RUScanner.sln
13 directories, 16 filesThe whole directory has been mounted to /mnt/tmp on Kali
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ cp -r /mnt/tmp/VB\ Projects/WIP/RU/ . I then copied the “RUScanner” program to the current working directory for ease of access
Proceeding to source code analysis
C.Smith SMB session
I got the decrypted password for the C.Smith user.
I will get to the validation
┌──(kali㉿kali)-[~/archive/htb/labs/nest]
└─$ smbmap -H $IP -u c.smith -p xRxRxPANCAK3SxRxRx -R Users
[+] ip: 10.10.10.178:445 Name: 10.10.10.178
Disk Permissions Comment
---- ----------- -------
Users READ ONLY
.\Users\*
dr--r--r-- 0 sun jan 26 00:04:21 2020 .
dr--r--r-- 0 sun jan 26 00:04:21 2020 ..
dr--r--r-- 0 wed jul 21 20:47:04 2021 Administrator
dr--r--r-- 0 wed jul 21 20:47:04 2021 C.Smith
dr--r--r-- 0 thu aug 8 19:03:29 2019 L.Frost
dr--r--r-- 0 thu aug 8 19:02:56 2019 R.Thompson
dr--r--r-- 0 wed jul 21 20:47:15 2021 TempUser
.\Users\C.Smith\*
dr--r--r-- 0 wed jul 21 20:47:04 2021 .
dr--r--r-- 0 wed jul 21 20:47:04 2021 ..
dr--r--r-- 0 wed jul 21 20:47:05 2021 HQK Reporting
fr--r--r-- 34 thu jan 12 22:19:07 2023 user.txt
.\Users\C.Smith\HQK Reporting\*
dr--r--r-- 0 wed jul 21 20:47:05 2021 .
dr--r--r-- 0 wed jul 21 20:47:05 2021 ..
dr--r--r-- 0 fri aug 9 14:18:42 2019 AD Integration Module
fr--r--r-- 0 wed jul 21 20:47:12 2021 Debug Mode Password.txt
fr--r--r-- 249 wed jul 21 20:47:14 2021 HQK_Config_Backup.xml
.\Users\C.Smith\HQK Reporting\AD Integration Module\*
dr--r--r-- 0 fri aug 9 14:18:42 2019 .
dr--r--r-- 0 fri aug 9 14:18:42 2019 ..
fr--r--r-- 17408 thu aug 8 01:42:49 2019 HqkLdap.exeThe credential is VALIDATED.
The C.Smith user has access to his home directory at \\$IP\Users\C.Smith
There, I see the familiar word; \\$IP\Users\C.Smith\HQK Reporting\HQK Reporting
It must be relevant to whatever is going on at the target port 4386
I will get all the files with the --download flag
HQK_Config_Backup.xml
┌──(kali㉿kali)-[~/…/htb/labs/nest/c.smith]
└─$ cat HQK_Config_Backup.xml <?xml version="1.0"?>
<ServiceSettings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Port>4386</Port>
<QueryDirectory>C:\Program Files\HQK\ALL QUERIES</QueryDirectory>
</ServiceSettings> It appears to be a configuration file for the service, indicating that query is executed at the following directory, C:\Program Files\HQK\ALL QUERIES
Debug Mode Password.txt
smb: \C.Smith\HQK Reporting\> ls
. d 0 fri aug 9 01:06:17 2019
.. d 0 fri aug 9 01:06:17 2019
ad integration module d 0 fri aug 9 14:18:42 2019
debug mode password.txt a 0 fri aug 9 01:08:17 2019
hqk_config_backup.xml a 249 fri aug 9 01:09:05 2019
5242623 blocks of size 4096. 1839710 blocks availableIt doesn’t make sense that there is an empty TXT file with password in its name
smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt"
altname: DEBUGM~1.TXT
create_time: Fri Aug 9 01:06:12 AM 2019 CEST
access_time: Fri Aug 9 01:06:12 AM 2019 CEST
write_time: Fri Aug 9 01:08:17 AM 2019 CEST
change_time: Wed Jul 21 08:47:12 PM 2021 CEST
attributes: A (20)
stream: [::$DATA], 0 bytes
stream: [:Password:$DATA], 15 bytesThere are alternative data streams(ADS) associated with the file, Debug Mode Password.txt
one of them containing “:Password”
smb: \C.Smith\HQK Reporting\> more "Debug Mode Password.txt:Password:$DATA"
i can check the content of the ads (:Password:$DATA) with more
This certainly appears very much like to be a password
smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:password:$DATA"
getting file \c.smith\hqk reporting\debug mode password.txt:password:$DATA of size 15 as Debug Mode
password.txt:password:$DATA (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)i will grab the file with the ads (:Password:$DATA)
┌──(kali㉿kali)-[~/…/htb/labs/nest/c.smith]
└─$ cat debug\ mode\ password.txt:password:\$DATA
WBQ201953D8w
I don’t know what exactly this is for now.