SMB
Nmap discovered a Windows Directory server on the target port 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ nmap -Pn --script smb-enum-shares -sV -p139,445 $IP
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-03 13:23 CET
Nmap scan report for dc (10.10.11.175)
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 11.83 secondsAttempting to map out the SMB shares failed
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ crackmapexec smb dc.outdated.htb -d OUTDATED.HTB -u 'qwe' -p '' --shares
SMB dc.outdated.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:OUTDATED.HTB) (signing:True) (SMBv1:False)
SMB dc.outdated.htb 445 DC [+] OUTDATED.HTB\qwe:
SMB dc.outdated.htb 445 DC [+] Enumerated shares
SMB dc.outdated.htb 445 DC Share Permissions Remark
SMB dc.outdated.htb 445 DC ----- ----------- ------
SMB dc.outdated.htb 445 DC ADMIN$ Remote Admin
SMB dc.outdated.htb 445 DC C$ Default share
SMB dc.outdated.htb 445 DC IPC$ READ Remote IPC
SMB dc.outdated.htb 445 DC NETLOGON Logon server share
SMB dc.outdated.htb 445 DC Shares READ
SMB dc.outdated.htb 445 DC SYSVOL Logon server share
SMB dc.outdated.htb 445 DC UpdateServicesPackages A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
SMB dc.outdated.htb 445 DC WsusContent A network share to be used by Local Publishing to place published content on this WSUS system.
SMB dc.outdated.htb 445 DC WSUSTemp A network share used by Local Publishing from a Remote WSUS Console Instance.The target SMB server does seem to allow anonymous access, and there are 4 none default shares
//dc.outdated.htb/UpdateServicesPackages
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ smbclient //dc.outdated.htb/UpdateServicesPackages
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*The //dc.outdated.htb/UpdateServicesPackages share does not allow listing
//dc.outdated.htb/WsusContent
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ smbclient //dc.outdated.htb/WsusContent
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*Same goes for the //dc.outdated.htb/WsusContent share
//dc.outdated.htb/WSUSTemp
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ smbclient //dc.outdated.htb/WSUSTemp
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*No listing
//dc.outdated.htb/Shares
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ smbclient //dc.outdated.htb/Shares
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Mon Jun 20 17:01:33 2022
.. D 0 Mon Jun 20 17:01:33 2022
NOC_Reminder.pdf AR 106977 Mon Jun 20 17:00:32 2022
9116415 blocks of size 4096. 1919231 blocks availableThere is a PDF file within the //dc.outdated.htb/Shares share; NOC_Reminder.pdf
smb: \> get NOC_Reminder.pdf
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (371.8 KiloBytes/sec) (average 371.8 KiloBytes/sec)Downloading the PDF file to Kali for further analysis
NOC_Reminder.pdf
The NOC_Reminder.pdf file is a single page PDF document
given, “noc” usually refers to network operations center, the pdf file provides a recovery procedure following a recent security breach last week
It notes the followings;
- Affected workstations with core servers;
- update services
- monitoring tools
- backups
itsupport@outdated.htb- supposed to receive a link, pointing to internal web application
- will add submitted internal web app back to monitoring platform
- A new SOC employee to patch the following vulnerabilities
CVE-2022-30190CVE-2022-30138CVE-2022-30129CVE-2022-29130CVE-2022-29110
It’s important to note that CVE-2022-30190 seems to be the most accessible candidate for exploitation whereas the status of CVE-2022-30129, CVE-2022-30130, and CVE-2022-29110 remains unconfirmed at present. Additionally, CVE-2022-30138 is not applicable as the Print Spooler service is not exposed such as [MS-PAR] and [MS-RPRN]
itsupport
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ echo itsupport > temp_users.txt
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ kerbrute userenum --dc dc.outdated.htb -d OUTDATED.HTB temp_users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/05/24 - Ronnie Flathers @ropnop
2024/01/05 14:55:27 > Using KDC(s):
2024/01/05 14:55:27 > dc.outdated.htb:88
2024/01/05 14:55:27 > Done! Tested 1 usernames (0 valid) in 0.039 secondsitsupport is NOT a valid domain user
It’s likely an alias for mail service
Metadata
┌──(kali㉿kali)-[~/…/htb/labs/outdated/smb]
└─$ file NOC_Reminder.pdf
noc_reminder.pdf: PDF document, version 1.3, 1 page(s)
┌──(kali㉿kali)-[~/…/htb/labs/outdated/smb]
└─$ exiftool NOC_Reminder.pdf
exiftool version number : 12.67
file name : NOC_Reminder.pdf
directory : .
file size : 107 kB
file modification date/time : 2024:01:03 14:59:38+01:00
file access date/time : 2024:01:03 15:00:44+01:00
file inode change date/time : 2024:01:03 15:00:30+01:00
file permissions : -rw-r--r--
file type : PDF
file type extension : pdf
mime type : application/pdf
pdf version : 1.3
linearized : No
page count : 1
profile cmm type : Linotronic
profile version : 2.1.0
profile class : Display Device Profile
color space data : RGB
profile connection space : XYZ
profile date time : 1998:02:09 06:49:00
profile file signature : acsp
primary platform : Microsoft Corporation
cmm flags : Not Embedded, Independent
device manufacturer : Hewlett-Packard
device model : sRGB
device attributes : Reflective, Glossy, Positive, Color
rendering intent : Perceptual
connection space illuminant : 0.9642 1 0.82491
profile creator : Hewlett-Packard
profile id : 0
profile copyright : Copyright (c) 1998 Hewlett-Packard Company
profile description : sRGB IEC61966-2.1
media white point : 0.95045 1 1.08905
media black point : 0 0 0
red matrix column : 0.43607 0.22249 0.01392
green matrix column : 0.38515 0.71687 0.09708
blue matrix column : 0.14307 0.06061 0.7141
device mfg desc : IEC http://www.iec.ch
device model desc : IEC 61966-2.1 Default RGB colour space - sRGB
viewing cond desc : Reference Viewing Condition in IEC61966-2.1
viewing cond illuminant : 19.6445 20.3718 16.8089
viewing cond surround : 3.92889 4.07439 3.36179
viewing cond illuminant type : D50
luminance : 76.03647 80 87.12462
measurement observer : CIE 1931
measurement backing : 0 0 0
measurement geometry : Unknown
measurement flare : 0.999%
measurement illuminant : D65
technology : Cathode Ray Tube Display
red tone reproduction curve : (Binary data 2060 bytes, use -b option to extract)
green tone reproduction curve : (Binary data 2060 bytes, use -b option to extract)
blue tone reproduction curve : (Binary data 2060 bytes, use -b option to extract)
producer : macOS Version 10.15.7 (Build 19H1922) Quartz PDFContext
creator : Word
create date : 2022:06:20 15:00:32Z
modify date : 2022:06:20 15:00:32ZMetadata does not contain any note-worthy information