InfoSec LAB

Support_SMB

Created: 3 min read

SMB

Nmap discovered a Windows Directory server on the target port 139 and 445

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ nmap -Pn --script smb-enum-shares -sV -p139,445 $IP
starting nmap 7.94 ( https://nmap.org ) at 2023-10-04 06:53 CEST
Nmap scan report for dc (10.10.11.174)
Host is up (0.12s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 20.91 seconds

Attempting to map the target’s SMB shares failed due to lack of privileges

Null Session

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ smbclient -L //dc.support.htb/     
Password for [WORKGROUP\kali]:
 
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	support-tools   Disk      support staff tools
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to dc.support.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The target SMB server allows anonymous access as I am able to list the shares The //dc.support.htb/support-tools share is the only none default SMB share

//dc.support.htb/support-tools

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ smbclient //dc.support.htb/support-tools                   
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   d        0  wed jul 20 19:01:06 2022
  ..                                  d        0  sat may 28 13:18:25 2022
  7-zipportable_21.07.paf.exe         a  2880728  sat may 28 13:19:19 2022
  npp.8.4.1.portable.x64.zip          a  5439245  sat may 28 13:19:55 2022
  putty.exe                           a  1273576  sat may 28 13:20:06 2022
  sysinternalssuite.zip               a 48102161  sat may 28 13:19:31 2022
  userinfo.exe.zip                    a   277499  wed jul 20 19:01:07 2022
  windirstat1_1_2_setup.exe           a    79171  sat may 28 13:20:17 2022
  wiresharkportable64_3.6.5.paf.exe      a 44398000  sat may 28 13:19:43 2022
 
		4026367 blocks of size 4096. 968258 blocks available

I am also able to anonymously access the //dc.support.htb/support-tools share Judging by the naming of the share as well as the content within, it would appear to be a share used by the support team as a common storage space to store tools for infrastructure provisioning

While the share appears to contain a number of commonly used tools, UserInfo.exe.zip is not recognizable as I have never seen such

smb: \> get UserInfo.exe.zip
getting file \UserInfo.exe.zip of size 277499 as UserInfo.exe.zip (103.6 KiloBytes/sec) (average 103.6 KiloBytes/sec)

I will download the unknown executable to Kali for further analysis

UserInfo.exe

┌──(kali㉿kali)-[~/…/htb/labs/support/smb]
└─$ unzip UserInfo.exe.zip   
Archive:  UserInfo.exe.zip
  inflating: UserInfo.exe            
  inflating: CommandLineParser.dll   
  inflating: Microsoft.Bcl.AsyncInterfaces.dll  
  inflating: Microsoft.Extensions.DependencyInjection.Abstractions.dll  
  inflating: Microsoft.Extensions.DependencyInjection.dll  
  inflating: Microsoft.Extensions.Logging.Abstractions.dll  
  inflating: System.Buffers.dll      
  inflating: System.Memory.dll       
  inflating: System.Numerics.Vectors.dll  
  inflating: System.Runtime.CompilerServices.Unsafe.dll  
  inflating: System.Threading.Tasks.Extensions.dll  
  inflating: UserInfo.exe.config

Extracting the content reveals the binary, necessary DLL files and the configuration file

config

┌──(kali㉿kali)-[~/…/htb/labs/support/smb]
└─$ cat UserInfo.exe.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />
    </startup>
  <runtime>
    <assemblybinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

While the configuration file shows that its compiled to work with .NET 4.8, it doesn’t reveal anything critical

binary

┌──(kali㉿kali)-[~/…/htb/labs/support/smb]
└─$ file UserInfo.exe    
UserInfo.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections

The binary itself is a x86 executable This would potentially mean that it may not be necessary to port it out to a Windows host for further analysis Because I can execute it locally within Kali using mono

Interactive Graph View

Backlinks