InfoSec LAB

Vault_SMB

Created: 4 min read

SMB

Nmap discovered a Windows Directory service on the target ports 139 and 445

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP                            
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-01 20:06 CEST
Nmap scan report for dc.vault.offsec (192.168.187.172)
Host is up (0.018s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.58 seconds

Share mapping failed

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces
SMB         192.168.187.172 445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [-] vault.offsec\: STATUS_ACCESS_DENIED 
SMB         192.168.187.172 445    DC               [-] IndexError: list index out of range
SMB         192.168.187.172 445    DC               [-] Error enumerating shares: Error occurs while reading from remote(104)

The target SMB server does not allow anonymous access

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ nxc smb $IP -u ' ' -p '' --shares --interfaces    
SMB         192.168.187.172 445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [+] vault.offsec\ : (Guest)
SMB         192.168.187.172 445    DC               [*] Enumerated shares
SMB         192.168.187.172 445    DC               Share           Permissions     Remark
SMB         192.168.187.172 445    DC               -----           -----------     ------
SMB         192.168.187.172 445    DC               ADMIN$                          Remote Admin
SMB         192.168.187.172 445    DC               C$                              Default share
SMB         192.168.187.172 445    DC               DocumentsShare  READ,WRITE      
SMB         192.168.187.172 445    DC               IPC$            READ            Remote IPC
SMB         192.168.187.172 445    DC               NETLOGON                        Logon server share 
SMB         192.168.187.172 445    DC               SYSVOL                          Logon server share 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ smbclient -L //$IP/
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Password for [WORKGROUP\kali]:
 
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	DocumentsShare  Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

However, it allows guest access Since access to the IPC$ is granted, this would mean that username enumeration through the RID cycling attack is possible

DocumentsShare Share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ smbclient //$IP/DocumentsShare 
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \>

Session established to the DocumentsShare share

smb: \> put test
putting file test as \test (0.0 kb/s) (average 0.0 kb/s)
smb: \> rm test

Write access is granted

smb: \> ls
  .                                   D        0  Thu May  1 20:10:22 2025
  ..                                  D        0  Thu May  1 20:10:22 2025
 
		7706623 blocks of size 4096. 736333 blocks available

It’s empty

SYSVOL Share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ smbclient //$IP/SYSVOL        
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

N/A

anirudh Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache FindDomainShare VAULT.OFFSEC/anirudh@dc.vault.offsec -k -no-pass -dc-ip $IP -check-access -check-admin       
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Starting domain share enumeration at 2025-05-01 22:09:44
[*] Connecting to LDAP at DC
[*] LDAP connection successful
[*] Found 1 computers in the domain
[*] Admin access confirmed on DC.vault.offsec
[*] Found 6 shares on DC.vault.offsec
[*] Enumeration completed in 0:00:01.746779. Found 6 shares.
 
Found 6 shares:
----------------------------------------------------------------------------------------------------
Computer        Share          Type             Admin  Read  Write OS                   Remark                               
----------------------------------------------------------------------------------------------------
DC.vault.offsec ADMIN$         Unknown (Hidden) Yes    Yes   No    Windows Server 2019  Remote Admin                         
DC.vault.offsec C$             Unknown (Hidden) Yes    Yes   No    Windows Server 2019  Default share                        
DC.vault.offsec DocumentsShare Unknown          Yes    No    No    Windows Server 2019                                       
DC.vault.offsec IPC$           Disk (Hidden)    Yes    Yes   No    Windows Server 2019  Remote IPC                           
DC.vault.offsec NETLOGON       Unknown          Yes    Yes   No    Windows Server 2019  Logon server share                   
DC.vault.offsec SYSVOL         Unknown          Yes    Yes   No    Windows Server 2019  Logon server share

Enumerating the target SMB server with FindDomainShare, using the TGT of the compromised anirudh user The user has admin access to the dc.vault.offsec host

SYSVOL Share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault]
└─$ KRB5CCNAME=anirudh@dc.vault.offsec.ccache impacket-smbclient VAULT.OFFSEC/anirudh@dc.vault.offsec -k -no-pass -dc-ip $IP        
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Type help for list of commands
# use SYSVOL
# tree
/vault.offsec/DfsrPrivate
/vault.offsec/Policies
/vault.offsec/scripts
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/USER
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/vault.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
/vault.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
Finished - 21 files and folders

N/A

Interactive Graph View

Backlinks