Attacking Common Services - Attacking SMB

cherryeater · June 1, 2022, 1:59pm

Hi everyone!
I succeeded to enumerate two users using rpcclient where a ‘jason’ is among them.
However, I still have no success to get a valid jasons’ password via crackmapexec bruteforcing using a provided password wordlist from Resources as well as to download without authentication READ ONLY file from smb share .
(get id_rsa returns: ‘NT_STATUS_ACCESS_DENIED opening remote file …’).
I some confused, what have I do next. Please give me a hint how to move ahead.

Joker93 · June 1, 2022, 5:52pm

You’ll need a domain for it, or you can use -d

cherryeater · June 2, 2022, 8:42am

Thank you very much my friend!
I don’t know how much time I would spend without your hint as the --help command does not describe this option as well as this section.

PhiLight · June 7, 2022, 5:41pm

For anyone looking for this in the future, use the –local-auth flag

ghostXbyte · October 14, 2022, 7:32am

Hi everyone,

Can anyone tell me where de password’s wordlist are? The only ones i found are in /usr/share/… but i can’t understand where is the resources.

Thank’s

gingerwood · October 21, 2022, 8:33pm

Hi, look closely in the hack the box web interface (top right of the page).

cheekychimp · November 10, 2022, 6:05pm

Thanks for your help - I’m sure this isn’t even in the course material?!? how helpful of htb

GuyKazuya · November 16, 2022, 2:01am

Can anyone explain why --local-auth is required here? Only when authenticating to a domain joined machine using plain text password??

ghostXbyte · November 28, 2022, 9:05am

thank’s a lot gingerwood !

cmarrod · January 23, 2023, 11:47am

How did you find the domain?!

ishsome · January 29, 2023, 7:03pm

Run Enum4linux

gizmoe380 · February 23, 2023, 1:56am

hint: i was about to give up on this section but then i remembered who i am and got the answer.

Kesivle · April 16, 2023, 5:00pm

Hello.

Where can I find a password list?
In FTP or somewhere else?
I tried passwords from FTP but it didn’t work, tried rockyou.txt and it didn’t work aswell.
I tried also with paremter -d and here domain found with ENUM4LINUX (same domain is added with --local-auth parameter in crackmapexec

What should I do, need a hint there.

lxbx · April 21, 2023, 5:00pm

As a guide.

For question 1, use the smbclient tool.
For question 2, use the crackmapexec tool and the --local-auth parameter and the dictionary provided by HTB in resources.
For question 3, you must download the file located in G** (smbmap -H 10.129.219.167 -r G**), use the smbmap tool and add the corresponding credentials of jason to get the permissions to download and read the file.
Do not forget to give the appropriate permissions (600).

Hackalino · May 14, 2023, 2:21am

Copy the id_rsa file and crack it.