Medium - JA Smith

# CREDS HTB:xxxx alex:lol123!mD sa:87N1ns@slls83 # Enumeration ## Nmap - fast scan ![[images/Pasted image 20250923192611.png]] - detailed scan ![[images/Pasted image 20250923192650.png]] ## Services ### SMB (139,445) - `smbclient -N -L` access denied ![[images/Pasted image 20250923192535.png]] - `smbmap -H` errors out ![[images/Pasted image 20250923193454.png]] - `crackmapexec smb` reveals win10/server 2019, hostname=WINMEDIUM, signing=false, smbv1=false ![[images/Pasted image 20250923193432.png]] - `sudo nmap -sC -sV --script smb* -p445 10.129.206.194` ![[images/Pasted image 20250923193524.png]] - `rpcclient -U HTB 10.129.206.194` requires password![[images/Pasted image 20250923193802.png]] - - RETRY rpcclient enum with alex creds - `rpcclient 10.129.206.194 --user alex%'lol123!mD'` drops me into interactive rpc shell with limited commands ![[images/Pasted image 20250923205936.png]] - looks like dead-end - RETRY SMB enum with alex creds - `crackmapexec smb 10.129.206.194 -u alex -p 'lol123!mD' --shares` ![[images/Pasted image 20250923204444.png]] - `smbclient //10.129.206.194/Users --user alex%'lol123!mD'` drops me into interactive smb shell ![[images/Pasted image 20250923210004.png]] - lots of files; no pay dirt - `smbclient //10.129.206.194/devshare --user alex` looks more promising ![[images/Pasted image 20250923210505.png]] - looks like we have a service account? ![[images/Pasted image 20250923210547.png]] - Google "windows SA account" - looks like the "sa" account in SQL Server is a built-in system administrator account that is disabled by default when using Windows Authentication mode. To use it, you need to enable the account and set a strong password, typically done through SQL Server Management Studio (SSMS) ### NFS (111,2049) - `sudo nmap 10.129.206.194 -p111,2049 -sC -sV --script nfs*` lots of action; dig in here - `showmount -e 10.129.206.194`![[images/Pasted image 20250923194530.png]] - perms issue encountered after mounting the share locally ![[images/Pasted image 20250923195933.png]] - add myself to nogroup (65534) to access - `sudo usermod -aG nogroup jacob` - still cannot access share even though `id jacob` shows that I am part of GID 66534 ![[images/Pasted image 20250923200958.png]] - `sudo ls -al NFS` where only one of the files has a non-zero file size ![[images/Pasted image 20250923203924.png]] - `sudo cat NFS/<ticket_name>` reveals alex's password ![[images/Pasted image 20250923203948.png]] - circle-back to SMB enumeration ### 5985 - `sudo nmap -p5985 -sC -sV -A 10.129.206.194 ` ![[images/Pasted image 20250923204059.png]] ### RDP (3389) - `sudo nmap -sC -sV -p3389 10.129.206.194 --script rdp*` ![[images/Pasted image 20250923201505.png]] - try access with sa creds (Administrator:87N1ns@slls83) - `xfreerdp3 /u:Administrator /p:"87N1ns@slls83" /v:10.129.206.194 /dynamic-resolution` ### wsman (5885) ### winrm (47001)