InfoSec LAB

Hutch_SMB

Created: 3 min read

SMB

Nmap discovered a Windows Directory service on the target ports 139 and 445

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP                            
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-01 14:54 CEST
Nmap scan report for hutchdc.hutch.offsec (192.168.187.122)
Host is up (1.5s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds

Share mapping failed

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces           
SMB         192.168.187.122 445    HUTCHDC          [*] Windows 10 / Server 2019 Build 17763 x64 (name:HUTCHDC) (domain:hutch.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.122 445    HUTCHDC          [+] hutch.offsec\: 
SMB         192.168.187.122 445    HUTCHDC          [-] Error enumerating shares: STATUS_ACCESS_DENIED

The target SMB server allows guest access, but lack of privileges prevents enumerating the shares

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ smbclient -L //$IP/    
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Password for [WORKGROUP\kali]:
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

The target SMB server also allows anonymous access, but lack of privileges prevents enumerating the shares

fmcsorley Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ KRB5CCNAME=fmcsorley@hutchdc.hutch.offsec.ccache FindDomainShare HUTCH.OFFSEC/fmcsorley@hutchdc.hutch.offsec -k -no-pass -dc-ip $IP -check-access -check-admin     
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Starting domain share enumeration at 2025-05-01 15:53:57
[*] Connecting to LDAP at HUTCHDC
[*] LDAP connection successful
[*] Found 1 computers in the domain
[*] Found 5 shares on hutchdc.hutch.offsec
[*] Enumeration completed in 0:00:01.205308. Found 5 shares.
 
Found 5 shares:
------------------------------------------------------------------------------------------------
Computer             Share    Type             Admin  Read  Write OS                   Remark    
------------------------------------------------------------------------------------------------
hutchdc.hutch.offsec ADMIN$   Unknown (Hidden) No     No    No    Windows Server 2019  Remote Adm
hutchdc.hutch.offsec C$       Unknown (Hidden) No     No    No    Windows Server 2019  Default sh
hutchdc.hutch.offsec IPC$     Disk (Hidden)    No     Yes   No    Windows Server 2019  Remote IPC
hutchdc.hutch.offsec NETLOGON Unknown          No     Yes   No    Windows Server 2019  Logon serv
hutchdc.hutch.offsec SYSVOL   Unknown          No     Yes   No    Windows Server 2019  Logon serv

Enumerating the target SMB server with FindDomainShare, using the TGT of the compromised fmcsorley user All default shares

SYSVOL Share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ KRB5CCNAME=fmcsorley@hutchdc.hutch.offsec.ccache impacket-smbclient HUTCH.OFFSEC/fmcsorley@hutchdc.hutch.offsec -k -no-pass -dc-ip $IP                       
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Type help for list of commands
# use SYSVOL
# tree
/hutch.offsec/DfsrPrivate
/hutch.offsec/Policies
/hutch.offsec/scripts
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/USER
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Applications
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/comment.cmtx
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Registry.pol
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Scripts
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Shutdown
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Scripts/Shutdown
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Scripts/Startup
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/hutch.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
/hutch.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
Finished - 30 files and folders

Nothing notable

Interactive Graph View

Backlinks