SMB

Nmap discovered a Samba service on the target port 139 and 445 The running service is Samba smbd 4.6.2

Null Session

┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ smbmap -H $IP -u '' -p ''
[+] IP: 10.10.11.101:445	Name: 10.10.11.101                                      
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	writer2_project                                   	NO ACCESS	
	IPC$                                              	NO ACCESS	IPC Service (writer server (Samba, Ubuntu))

While the target Samba server appears to allow anonymous access, lack of privileges prevents direct accessing to any of the shares The writer2_project share is the only none default share

┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ smbclient //$IP/writer2_project             
Password for [WORKGROUP\kali]:
tree connect failed: NT_STATUS_ACCESS_DENIED

As expected, I am unable to access the share

┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Apr 19 11:15:57 2023
 
 =========================================( Target Information )=========================================
 
Target ........... 10.10.11.101
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 
 ============================( Enumerating Workgroup/Domain on 10.10.11.101 )============================
 
[+] Got domain/workgroup name: WORKGROUP
 
 ================================( Nbtstat Information for 10.10.11.101 )================================
 
Looking up status of 10.10.11.101
	WRITER          <00> -         B <ACTIVE>  Workstation Service
	WRITER          <03> -         B <ACTIVE>  Messenger Service
	WRITER          <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
 
	MAC Address = 00-00-00-00-00-00
 
 ===================================( Session Check on 10.10.11.101 )===================================
 
[+] Server 10.10.11.101 allows sessions using username '', password ''
 
 ================================( Getting domain SID for 10.10.11.101 )================================
 
 ===================================( OS information on 10.10.11.101 )===================================
 
[E] Can't get OS info with smbclient
 
[+] Got OS info for 10.10.11.101 from srvinfo: 
	WRITER         Wk Sv PrQ Unx NT SNT writer server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03
 
 =======================================( Users on 10.10.11.101 )=======================================
 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: kyle	Name: Kyle Travis	Desc: 
 
user:[kyle] rid:[0x3e8]
 
 =================================( Share Enumeration on 10.10.11.101 )=================================
 
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
 
	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	writer2_project Disk      
	IPC$            IPC       IPC Service (writer server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
 
[+] Attempting to map shares on 10.10.11.101
 
//10.10.11.101/print$	Mapping: DENIED Listing: N/A Writing: N/A
//10.10.11.101/writer2_project	Mapping: DENIED Listing: N/A Writing: N/A
 
[E] Can't understand response:
 
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.11.101/IPC$	Mapping: N/A Listing: N/A Writing: N/A
 
 ============================( Password Policy Information for 10.10.11.101 )============================
 
[+] Attaching to 10.10.11.101 using a NULL share
 
[+] Trying protocol 139/SMB...
 
[+] Found domain(s):
 
	[+] WRITER
	[+] Builtin
 
 =======================================( Groups on 10.10.11.101 )=======================================
 
[...REDACTED...]
 
 ==================( Users on 10.10.11.101 via RID cycling (RIDS: 500-550,1000-1050) )==================
 
[I] Found new SID: 
S-1-22-1
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[I] Found new SID: 
S-1-5-32
 
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
 
S-1-22-1-1000 Unix User\kyle (Local User)
S-1-22-1-1001 Unix User\john (Local User)
 
[+] Enumerating users using SID S-1-5-21-1663171886-1921258872-720408159 and logon username '', password ''
 
S-1-5-21-1663171886-1921258872-720408159-501 WRITER\nobody (Local User)
S-1-5-21-1663171886-1921258872-720408159-513 WRITER\None (Domain Group)
S-1-5-21-1663171886-1921258872-720408159-1000 WRITER\kyle (Local User)
 
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
 
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
 
 ===============================( Getting printer info for 10.10.11.101 )===============================
 
No printers returned.
 
enum4linux complete on Wed Apr 19 11:22:53 2023

enum4linux returned 2 system user; kyle and john

kyle session

During the enumeration of the web server, I identified a SQL injection vulnerability that allowed me to read system files. Further investigation revealed that the server was hosting a Python application, and one of the crucial application files stored a database credential. However, the credential failed to authenticate against the SSH server, indicating that password reuse was not employed.

I am now planning to test the credential against the SMB server.

┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ cme smb $IP -u users -p ToughPasswordToCrack --continue-on-success
smb         10.10.11.101    445    writer           [*] windows 6.1 build 0 (name:WRITER) (domain:) (signing:False) (SMBv1:False)
smb         10.10.11.101    445    writer           [-] \john:ToughPasswordToCrack STATUS_LOGON_FAILURE
smb         10.10.11.101    445    writer           [+] \kyle:ToughPasswordToCrack

The password is valid for the kyle user

┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ smbmap -H $IP -u kyle -p ToughPasswordToCrack
[+] ip: 10.10.11.101:445	Name: writer.htb                                        
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	READ ONLY	Printer Drivers
	writer2_project                                   	READ, WRITE	
	IPC$                                              	NO ACCESS	IPC Service (writer server (Samba, Ubuntu))

The kyle user has both read and write access to the writer2_project share The writer2_project share resembles the /var/www/writer2_project/writer2_project directory, which is supposed to be the UNDEPLOYED development version of the web application according to the earlier enumeration

InfoSec LAB

Explorer

Writer_SMB

SMB

Null Session

kyle session

Interactive Graph View

Table of Contents

Backlinks