Attacking Common Services - Attacking SMB

Hi everyone!
I succeeded to enumerate two users using rpcclient where a ‘jason’ is among them.
However, I still have no success to get a valid jasons’ password via crackmapexec bruteforcing using a provided password wordlist from Resources as well as to download without authentication READ ONLY file from smb share .
(get id_rsa returns: ‘NT_STATUS_ACCESS_DENIED opening remote file …’).
I some confused, what have I do next. Please give me a hint how to move ahead.

3 Likes

You’ll need a domain for it, or you can use -d

4 Likes

Thank you very much my friend!
I don’t know how much time I would spend without your hint as the --help command does not describe this option as well as this section.

2 Likes

For anyone looking for this in the future, use the –local-auth flag

11 Likes

Hi everyone,

Can anyone tell me where de password’s wordlist are? The only ones i found are in /usr/share/… but i can’t understand where is the resources.

Thank’s

Hi, look closely in the hack the box web interface (top right of the page).

1 Like

Thanks for your help - I’m sure this isn’t even in the course material?!? how helpful of htb

Can anyone explain why --local-auth is required here? Only when authenticating to a domain joined machine using plain text password??

2 Likes

thank’s a lot gingerwood !

How did you find the domain?!

1 Like

Run Enum4linux

hint: i was about to give up on this section but then i remembered who i am and got the answer.

Hello.

Where can I find a password list?
In FTP or somewhere else?
I tried passwords from FTP but it didn’t work, tried rockyou.txt and it didn’t work aswell.
I tried also with paremter -d and here domain found with ENUM4LINUX (same domain is added with --local-auth parameter in crackmapexec :confused:

What should I do, need a hint there.

As a guide.

  • For question 1, use the smbclient tool.
  • For question 2, use the crackmapexec tool and the --local-auth parameter and the dictionary provided by HTB in resources.
  • For question 3, you must download the file located in G** (smbmap -H 10.129.219.167 -r G**), use the smbmap tool and add the corresponding credentials of jason to get the permissions to download and read the file.
    Do not forget to give the appropriate permissions (600).

Copy the id_rsa file and crack it.

When targeting non domain joined machines we add the --local-auth.

You don’t need to crack it. It’s a public key.

Bruh, there is a different password list in this section :sob: I was using one from a different module

Putting this here for anyone who had the same problem, if you’re struggling to find the pws.list file the resources button is hidden if the aspect ration is to narrow. Try going full screen or making the window wider. Spent so much time using the previous word list lol

Putting this to help anybody who’s stuck with crackmapexec
(for my condition it didn’t want to run the brute force process)
So, here’s my own solution (I don’t know how it worked but it did, if there’s someone that can provide an explanation I would be grateful…)
So since it’s the same server the info provided would be the same across most services or atleast that’s what I think, we have the login name “jason” and the password list from the ressources (you just have to download and unzip it)
Try running a brute force attack but on the FTP 21** port.
It will eventually lead you to the flag.txt without the id_rsa needed to sign in to the SSH even.