ServMon_SMB

SMB

---

Nmap discovered a Microsoft Windows Directory service on the target port 139 and 445

Null Session

---

┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ smbclient -L //$IP/        
Password for [WORKGROUP\kali]:
session setup failed: NT_STATUS_ACCESS_DENIED

The SMB server doesn’t allow anonymous login

Nothing to do here without a valid credential

Nadine Session

---

┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ smbmap -H $IP -u 'nadine' -p 'L1k3B1gBut7s@W0rk'    
[+] ip: 10.10.10.184:445	Name: servmon                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC

Initially, the credential was extracted by exploiting the directory traversal vulnerability against the web server. Unfortunately, the SMB server is hosting only the default shares

┌──(kali㉿kali)-[~/archive/htb/labs/servmon]
└─$ impacket-lookupsid 'nadine:L1k3B1gBut7s@W0rk@$IP' -target-ip $IP 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[*] Brute forcing SIDs at $IP
[*] stringbinding ncacn_np:$IP[\pipe\lsarpc]
[*] domain sid is: S-1-5-21-3217154428-562821044-1828981534
500: SERVMON\Administrator (SidTypeUser)
501: SERVMON\Guest (SidTypeUser)
503: SERVMON\DefaultAccount (SidTypeUser)
504: SERVMON\WDAGUtilityAccount (SidTypeUser)
513: SERVMON\None (SidTypeGroup)
1000: SERVMON\Nathan (SidTypeUser)
1001: SERVMON\Nadine (SidTypeUser)

I can still get the system users out by brute forcing SID against the IPC$ share It seems that those are the only users