InfoSec LAB

Scrambled_SMB_ksimpson

Created: 4 min read

ksimpson Session

Now that a valid domain credential obtained, I will be able to further enumerate the target SMB server Due to the network-level restriction set to the target domain, I won’t be able to use the usual smbclient however, impacket-smbclient accepts a valid TGT and support Kerberos authentication to access SMB server

┌──(kali㉿kali)-[~/…/htb/labs/scrambled/smb]
└─$ KRB5CCNAME=../ksimpson@dc1.scrm.local.ccache impacket-smbclient scrm.local/@dc1.scrm.local -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
Type help for list of commands
#

Using the TGT of the ksimpson user, I am able to authenticate to the target KDC to access the Windows Directory service

# shares
ADMIN$
C$
HR
IPC$
IT
NETLOGON
Public
Sales
SYSVOL

Asides from the usual default shares found across a Windows domain landscape, there is a total of 4 none default shares;

  • \\dc1.scrm.local\HR
  • \\dc1.scrm.local\Sales
  • \\dc1.scrm.local\IT
  • \\dc1.scrm.local\Public

Some of them match the organization’s departments found earlier during the web enumeration

\\dc1.scrm.local\HR

# use HR
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Access Denied to the \\dc1.scrm.local\HR share for the ksimpson user

\\dc1.scrm.local\Sales

# use Sales
[-] smb sessionerror: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Access Denied to the \\dc1.scrm.local\Sales share for the ksimpson user

\\dc1.scrm.local\IT

# use IT
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Access Denied to the \\dc1.scrm.local\IT share for the ksimpson user

\\dc1.scrm.local\Public

# use Public
#

It appears that I am able to access the \\dc1.scrm.local\Public share as the ksimpson user

# ls
drw-rw-rw-          0  thu nov  4 23:23:19 2021 .
drw-rw-rw-          0  thu nov  4 23:23:19 2021 ..
-rw-rw-rw-     630106  fri nov  5 18:45:07 2021 Network Security Changes.pdf
 
# get Network Security Changes.pdf

There is a single PDF file within the share; Network Security Changes.pdf The PDF file will be downloaded to Kali for further enumeration

Network Security Changes.pdf

┌──(kali㉿kali)-[~/…/htb/labs/scrambled/smb]
└─$ file Public/Network\ Security\ Changes.pdf
Public/Network Security Changes.pdf: PDF document, version 1.5, 1 page(s) (zip deflate encoded)

The PDF file is a single page document, using PDF version 1.5

The Network Security Changes.pdf file is a message to employees from the IT department, outlining the recent security breach reported on 04/09/2021.

The IT Support team has implemented additional measures to address a network compromise. The incident involved unauthorized access to the entire network, with the attacker exploiting “NTLM relaying”. As a direct response, NTLM authentication has been globally disabled, and users are now required to adopt Kerberos authentication, incorporating the full domain name (scrm.local) in their login credentials.

  • This provides a further explanation to the alert found in the support.html file

Furthermore, due to a breach involving the HR software’s SQL database, access to the SQL service has been restricted to network administrators, with affected HR department users advised to contact IT support for manual account access restoration.

  • It is suggested that the HR department previously had an indirect access to the SQL database via the aforementioned HR software, likely referring to the Sales Orders application
  • It also notes the imposed restriction on the SQL database, reserving access exclusively for “network administrators”
    • This may explain why I was unable to access the \\dc1.scrm.local\HR share as the ksimpson user
Metadata
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/smb]
└─$ exiftool Public/Network\ Security\ Changes.pdf 
exiftool version number         : 12.67
file name                       : Network Security Changes.pdf
directory                       : Public
file size                       : 630 kB
file modification date/time     : 2023:11:20 10:05:17+01:00
file access date/time           : 2023:11:20 10:06:50+01:00
file inode change date/time     : 2023:11:20 10:06:43+01:00
file permissions                : -rw-r--r--
file type                       : PDF
file type extension             : pdf
mime type                       : application/pdf
pdf version                     : 1.5
linearized                      : No
page count                      : 1
language                        : en-GB
tagged pdf                      : Yes
producer                        : Microsoft® Word 2010
creator                         : Microsoft® Word 2010
create date                     : 2021:11:04 22:20:49+00:00
modify date                     : 2021:11:04 22:20:49+00:00

No additional information found

Interactive Graph View

Backlinks