InfoSec LAB

Scrambled_IT_Share

Created: 3 min read

IT Share

*evil-winrm* ps c:\> ls
 
 
    directory: C:\
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        11/3/2021  11:44 PM                inetpub
d-----       10/31/2021   9:13 PM                PerfLogs
d-r---         6/1/2022  12:43 PM                Program Files
d-----        11/3/2021   4:50 PM                Program Files (x86)
d-----        11/1/2021   3:21 PM                Shares
d-----       11/20/2023   3:33 PM                Temp
d-r---        11/5/2021   2:56 PM                Users
d-----         6/8/2022  11:39 PM                Windows

during my examination of the entire file system following the initial enumeration, i discovered that the smb server is linked to the c:\Shares directory.

*evil-winrm* ps c:\> tree /F /A C:\Shares
Folder PATH listing
Volume serial number is 5805-B4B6
c:\SHARES
+---HR
+---IT
|   +---Apps
|   |   \---Sales Order Client
|   |           ScrambleClient.exe
|   |           ScrambleLib.dll
|   |
|   +---Logs
|   \---Reports
+---Production
+---Public
|       Network Security Changes.pdf
|
\---Sales

looking further into the c:\Shares directory, the miscsvc account is able to access the IT share, which appears to contain 2 client-side binaries for the Sales Order application that I have initially enumerated earlier

Sales Order Client

┌──(kali㉿kali)-[~/…/htb/labs/scrambled/smb]
└─$ KRB5CCNAME=../miscsvc@dc1.scrm.local.ccache impacket-smbclient scrm.local/@dc1.scrm.local -no-pass -k -dc-ip $IP  
Impacket v0.11.0 - Copyright 2023 Fortra
 
Type help for list of commands
# use IT
# ls
drw-rw-rw-          0  Wed Nov  3 20:32:55 2021 .
drw-rw-rw-          0  Wed Nov  3 20:32:55 2021 ..
drw-rw-rw-          0  Wed Nov  3 22:06:32 2021 Apps
drw-rw-rw-          0  Wed Nov  3 20:32:44 2021 Logs
drw-rw-rw-          0  Wed Nov  3 20:32:55 2021 Reports
 
# get Apps/Sales Order Client/ScrambleClient.exe
# get Apps/Sales Order Client/ScrambleLib.dll

The Apps directory seems to be the only populated directory. I will download those 2 executables to Kali for further enumeration

┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ file ScrambleClient.exe                                                  
ScrambleClient.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
 
┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ file ScrambleLib.dll   
ScrambleLib.dll: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

Both executables are x86 binaries written in C#

┌──(kali㉿kali)-[~/…/smb/IT/Apps/Sales Order Client]
└─$ mono ScrambleClient.exe
The entry point method could not be loaded due to Could not load file or assembly 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies.

Attempting to execute the ScrambleClient.exe file via mono runtime fails The error indicates that it couldn’t load the assembly PresentationFramework with the specified version, culture, and public key token.

The PresentationFramework assembly is part of the Windows Presentation Foundation (WPF), which is a UI framework for .NET. According to the official documentation of Mono, WPF is NOT SUPPORTED

I will port the program out to a Windows environment for further enumeration.

Interactive Graph View

Backlinks