Password on shares
Last updated
Last updated
Login on DC02
with the username Administrator
and password Welcome01!
.
Open the "Active Directory Users and Computers" administration tool on DC02
.
3. Right click on the "Users" directory and select "New" and then "User". Create a user with the name testreset
.
4. Fill in the password Testing123Testing!
and select "Password never expires" and make sure "User must change password at next logon" is not selected.
5. Login on FILE01
with the username Administrator
and password Welcome01!
.
6. Open "Windows Explorer" and browse to C:\Share\IT
.
7. Create a directory "Scripts" and enter the Directory. Then create a new textdocument with the name Password-reset-transferuser-testscript.ps1
and place the following content inside it:
8. Download a couple bogus scripts to the server and place them in the same folder such as:
During our pentests I often find shares that are accessible for all users and often there are some credentials to be discovered in either configuration files, scripts or Microsoft documents(.doc
, .xls
) made to store passwords. Sometimes there even is a NAS that allows null session and read/write on all shares.
The attack is executed from the perspective of already having discovered the IT Share on FILE01
and having access to it.
For having easy access to look at the share login as noah
with the password haoNHasAStrongPassword321!@
on WS01
.
Open File Explorer and browse to \\file01\Data
.
3. Open the IT directory and then the Script directory.
4. While looking through the scripts we see that the script Password-reset-transferuser-testscript
has login credentials saved in the script:
5. The password for the user testreset
probably is Testing123Testing!
. After reading through the code it seems that its a script to reset the credentials of the user sa_transfer_test
with the credentials of testreset
.
We can easily test this by starting a new PowerShell session as this user by opening powershell, then in the taskbar right click on it and shift right clicking on Window PowerShell and then selecting "Runas as different user".
6. Copy and paste the credentials and click on "OK". A PowerShell window opens, type whoami
to check if we are running as the testreset
user:
On the following page the ACL's this account has will be abused by resetting a password from another user:
Don't save credentials in readable files.