Introduction

Today using Lame from HTB I will show you how to exploit SMB shares with null authentication. This is for SAMBA 3.0.20 and without the need for Metasploit. This is a more ‘OSCP‘ styled post due to the box being listed as a recommended box for the OSCP journey. As someone who has been studying for the OSCP, I can confirm this is a great box to dip your feet into SMB null authenticate and SMB related exploits.

I would recommend reading on ‘Eternal Series SMB Exploit’ as there is a lot of variations. I would also recommend reviewing the GitHub repo below.

Now onto Lame from HTB; I start off every scan with an AutoRecon scan which I have mentioned on multiple posts.

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.’

This essentially means if your just starting off in the security field I would highly recommend this tool. Running an AutoRecon scan shows me that SMB shares are available with null authentication. It also shows me it is for SAMBA 3.0.20.

SMBMap List Contents provided by AutoRecon

SMBMap List Contents provided by AutoRecon

I use CME and SMBClient to confirm what AutoRecon has pulled in. CrackMapExec (CME) is another program this should be a staple in your toolkit as it allows you to check multiple protocols: SMB/SSH/LDAP/WinRM/MSSQL with plenty of enumeration and bruteforce capabilities. The reason you will sometimes want to use multiple tools is CME though a good program can sometimes give bad (or no) results. Using multiple programs to confirm helps enforce this is your attack point.

Copy
CME confirming I have read/write to a folder.

CME confirming I have read/write to a folder.

SMB Client showing the same open share.

SMB Client showing the same open share.

After confirming I use SMBClient to login as a null session and exploit the logon command to spawn a reverse shell:

First Tab

Copy

Second Tab

Copy
Using SMB Client to login and exploit the logon command.

Using SMB Client to login and exploit the logon command.

nc session picking up the exploit.

Using SMB Client to login and exploit the logon command.

Rooted

Published On: October 8th, 2020 / Categories: HTB, Technology / Tags: , , , , , /

Leave A Comment