I am currently on the final CPTS module and have pivoted to the internal network using Ligolo-ng (so no proxychains in my commands here, although I did try with ssh dynamic forwarding).
At the bottom I have attached an Nmap scan to show that the pivot is working, along with a failed CME command to connect to SMB on DEV01.
The problem:
I can visit the website on DEV01, RDP, etc (I’ve essentially been able to do everything you can do on DEV01) except for being able to look through the SMB shares.
For some reason, both smbclient and CrackMapExec don’t recognise the SMB service as being live (I have also tried restarting the lab) and therefore instantly exit without printing anything.
I don’t believe this is a problem with the tools (since CME can still access the DC via LDAP and DEV01 via WinRM).
What can I do to view these shares so I can carry on with the lab?
$ nmap 172.16.8.20
<SNIP>
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 0.81 seconds
$ crackmapexec smb 172.16.8.20 -u 'hp***er' -p 'Gr******no!' --shares
# There is no output to be shown here :(