InfoSec LAB

SecNotes_SMB

Created: 2 min read

SMB

Nmap discovered a Windows Directory service on the target port 445 Nmap also returned some basic information such as hostname and OS version through the SMB service

Null Session

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ smbclient -L //$IP/                     
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED

Anonymous login is not allowed to the SMB server

Nothing to do without a valid credential.

tyler session

There were multiple ways to login to the web application as the tyler user including changing the password through CSRF, authentication bypass through 2nd Order SQLi, and just plain simple authentication brute-force Then there was a SMB credential lying around in a form of note

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ smbmap -H secnotes.htb -u tyler -p '92g!mA8BGjOirkL%OG*&'   
[+] ip: secnotes.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	new-site                                          	READ, WRITE

The credential is VALID. It’s a system credential.

As noted from the note, there is a SMB share that the tyler user has access to; new-site

Serving/Mirroring the web server

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ smbclient //secnotes.htb/new-site -U 'tyler%92g!mA8BGjOirkL%OG*&' 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jan 25 00:29:42 2023
  ..                                  D        0  Wed Jan 25 00:29:42 2023
  iisstart.htm                        A      696  Thu Jun 21 17:26:03 2018
  iisstart.png                        A    98757  Thu Jun 21 17:26:03 2018
 
		7736063 blocks of size 4096. 3338479 blocks available

Connecting to the //secnotes.htb/new-site SMB share, there are two files, and those files are part of the Windows IIS installation. I got a feeling that this SMB share is serving/mirroring the web server running on the target port 8808, which I enumerated earlier and nothing was found of.

I can confirm my theory by uploading a test file and checking it on the webserver

┌──(kali㉿kali)-[~/archive/htb/labs/secnotes]
└─$ echo 'This file was uploaded from the `//secnotes.htb/new-site` SMB share' > test.txt

A test file with some content; test.txt

smb: \> put test.txt 
putting file test.txt as \test.txt (0.7 kb/s) (average 0.7 kb/s)

The test file is uploaded to the //secnotes.htb/new-site SMB share

Interactive Graph View

Backlinks