Gaining foothold in compromised network

[iHack]

Hello,

I have to following scenario: Gained access into a network, compromised backup (linux)server that is NOT part of the domain, scanned the network and found 3 possible access points;

nr. 1 is windows 10 with smb open,
nr. 2 is windows 7 with smb open,
nr. 3 is linux with ssh open.

Nr 2 is also not part of the domain, but i have a valid username(from a compromised printer) but no password. for nr. 1, I also have a list of 8 possible usernames, but likewise, no password.

I also have the user and password of a 4'th linux system, but this one has key pair auth enabled, so it's likely unusable.

I have tried ms17-010 on both windows machines and it didn't work.

Is access to a system possible? Any opinions/ideas are appreciated.

 

[Str0ng]

maybe you can try other windows RCE exploits like eternal blue, BlueKeep, or any recent exploit, or capture the ntlm hash using the Responder.py script

 

[molotov477]

Nr 2 is also not part of the domain, but i have a valid username(from a compromised printer) but no password. for nr. 1, I also have a list of 8 possible usernames, but likewise, no password.

If you have a valid username, you can try spraying it with a couple of possible passwords using crackmapexec, also, if you found the username from the printer, it should have a password in order to access the domain or authenticate with the domain, you can try your luck there.

Also if any of the shares are open, you can try going through them to see if you can find any useful info.

 

[iHack]

Sometimes spraying passwords is lucky, others not so much. I've got plenty of users from the printers, but i don't really know how to also get the password from said printer. Usually I just try to brute the users taken from printers. SMB shares are also something of a gift that keeps on giving but not this time. Thank you for the response.

 

[iHack]

I could never really get bluekeep to work properly. At least speaking about the metasploit version. It always kills the target. I reckon the issue is the groom base/size mismatching for the windows version but then again, I can only be 100% of VMware and Hyper-V versions as far as fingerprinting goes. Also, for the Responder trick to work, I would need a vulnerable device to coerce into calling the Certificate Authority, no? Thank you for the response.

 

[molotov477]

I could never really get bluekeep to work properly. At least speaking about the metasploit version. It always kills the target. I reckon the issue is the groom base/size mismatching for the windows version but then again, I can only be 100% of VMware and Hyper-V versions as far as fingerprinting goes. Also, for the Responder trick to work, I would need a vulnerable device to coerce into calling the Certificate Authority, no? Thank you for the response.

The msf version can be a handful to work, you should look up the eternalblue scripts from github, one that has always worked for me for both x86 and x64 vulnerable Win 7 is https://github.com/d4t4s3c/Win7Blue

Another great repo where you can get the script and modify them according to your needs is https://github.com/worawit/MS17-010
You can use the zzz_exploit.py for most legacy machines, just make sure you modify the code to add a new admin user or execute whatever command you want rather than creating the simple text file it creates.

 

[molotov477]

Also, for the Responder trick to work, I would need a vulnerable device to coerce into calling the Certificate Authority, no? Thank you for the response.

The printer should work with responder as well, at least in theory it should, I have used responder in order to get firewalls using AD Authentication to capture clear text credentials, never tried it with a printer, you can try and see if that might help you get foothold.

 

[Str0ng]

I have access to a university in Colombia in good revenue about 400kk more but i need Post Exp too, it has FTP ports, SSH, HTTP/S, open RDP may be interested in buying or exchanging it for something iHack, if you are interested send pm

 

[Str0ng]

I could never really get bluekeep to work properly. At least speaking about the metasploit version. It always kills the target. I reckon the issue is the groom base/size mismatching for the windows version but then again, I can only be 100% of VMware and Hyper-V versions as far as fingerprinting goes. Also, for the Responder trick to work, I would need a vulnerable device to coerce into calling the Certificate Authority, no? Thank you for the response.

If there is any exchange server with outlook on the network you can try proxylon exploit

 

[detroit_clock]

Did you tried scanning other subnets? I will expands target range.
Looks like only responder might work in this case. Or try latest ipv6 rce for windows 10 (mostly disabled in AD environments), but it crashes the system.