sudo nmap 192.168.178.152 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49666/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Jumping in immediately over to SMB for any low hanging fruit we can see can authenticate with null credentials and list the available shares.
└─$ smbclient -U '' -L \\\\192.168.178.152
Enter WORKGROUP\'s password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Scripts$ Disk
Users$ Disk
SMB1 disabled -- no workgroup available
└─$ smbclient -U '' \\\\192.168.178.152\\Scripts$
1 ⨯
Enter WORKGROUP\'s password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Jun 1 10:57:45 2021
.. D 0 Tue Jun 1 10:57:45 2021
defrag.ps1 A 49 Tue Jun 1 10:57:45 2021
fix-printservers.ps1 A 283 Tue Jun 1 10:57:45 2021
install-features.ps1 A 81 Tue Jun 1 10:57:45 2021
purge-temp.ps1 A 105 Tue Jun 1 10:57:45 2021
7706623 blocks of size 4096. 3766380 blocks available
From here we can see four separate PowerShell .ps1 files. I downloaded all the available files which have been listed below:
However, after going through these files they do not appear to be related directly to any exploitation.
Examining the Users$ SMB Share we see that the c:\users directory is mapped as a share. Typically the Administrators user folder is off limits. We are however able to access the entire user directory for the user 'scripting'.
Whilst this produces a large amount of files and directories we can instead utilize the smbmap tool to assist with recursively going through each directory for interesting files.
smbmap -u null -p null -H <IP> -s Scripting$ -R
Where once finished we find the following files of interest:
Using smbclient we can download README.txt from the user scripting's Desktop.
Please keep your personal shares locked down.
Just because it's hidden it doesn't mean it's not accessible.
Also, please stop storing passwords in your scripts.
Encoding is not encryption and this information can be lifted from the logs.
-Security
We also have a file called profile.ps1 located in c:\users\scripting\Documents\WindowsPowerShell.
From the output we notice multiple instances of the command below being execute on the system. As we can tell by the command the payload in encoded in base64.
Decoding the string with Base64 reveals the command below:
As we can see we have a lot going on with the decoded script. This writeup will not go into depth on this however references will be provided for further reading. Essentially after slowly breaking down the script and decoding a couple of the lines we see the following is performed:
Essentially the script will exit on the target system as per the script if the machine cannot ping 8.8.8.8 (Google DNS Servers) and if the machine name is 'compromised' the script will exit. Removing these conditions we are left with the script below.