InfoSec LAB

Return_SMB

Created: 2 min read

SMB

Nmap discovered a Windows Directory service on the target port 139 and 445

┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
starting nmap 7.93 ( https://nmap.org ) at 2023-03-23 10:36 CET
Nmap scan report for return.local (10.10.11.108)
Host is up (0.027s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 11.10 seconds

Attempting to perform an additional Nmap scan to map out the SMB shares failed likely due to the privileges related issue

Null Session

┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ smbmap -H printer.return.local -u ' ' -p ' '
[!] Authentication error on printer.return.local
 
┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ smbclient -L //printer.return.local/                      
Password for [WORKGROUP\kali]:
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to printer.return.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

As expected, the target SMB server allows anonymous access itself, but lack of privileges prevents me to even check the shares

┌──(kali㉿kali)-[~/archive/htb/labs/return]
└─$ enum4linux -a -r -o -n -A -U $IP 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Mar 23 10:39:02 2023
 
[...REDACTED...]
 
 ================================( Getting domain SID for 10.10.11.108 )================================
 
Domain Name: RETURN
Domain Sid: S-1-5-21-3750359090-2939318659-876128439
 
[+] Host is part of a domain (not a workgroup)
 
[...REDACTED...]
 
 ===============================( Getting printer info for 10.10.11.108 )===============================
 
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
 
 
enum4linux complete on Thu Mar 23 10:39:27 2023

At least, enum4linux was able to enumerate the domain SID; S-1-5-21-3750359090-2939318659-876128439

I would need to have a valid domain credential to proceed forward

Interactive Graph View

Backlinks