11/2020

Description:

Target ip: 10.10.10.178. - Windows box

This box relies greatly on picking up clues, enumerate items and interests. Machine credentials information used for initial access is in Shared folder on SMB directory. The machine has a misconfiguration that allow the TempUser to has access to the Data directory on SMB service which contains the encrypted passwords for user C.Smith, administrator, and a custom decryptor for them.

Difficulty:

easy

Flags:

User: cf71b25404be5d84fd827e05f426e987

Root: 6594c2eb084bc0f08a42f0b94b878c41

Enumeration

Nmap port scan result.

Nmap port scan result.

! Discovered service: SMB (445)

Enumerates SMB share directories with Guest access.

Enumerates SMB share directories with Guest access.

! Discovered shares: Data and Users

Examine SMB directory with Guest access.

Examine Users SMB directory with Guest access.

! Unable to access Administrator, C.Smith, L.Frost, or TempUser

Examine SMB directory with Guest access.

Examine Data SMB directory with Guest access.

! Unable to access IT, Production, Reports but Shared is available.

Examining reveals a folder which contains a template

Examining Templates reveals a HR folder which contains a template ‘Welcome Email.txt’

! Default credentials for TempUser is TempUser/welcome2019