# 2 smb ```bash $ smbclient -L //10.10.10.125 Enter WORKGROUP\kashz's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC Reports Disk $ smbclient //10.10.10.125/Reports Enter WORKGROUP\kashz's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Mon Jan 28 15:23:48 2019 .. D 0 Mon Jan 28 15:23:48 2019 Currency Volume Report.xlsm A 12229 Sun Jan 27 14:21:34 2019 6469119 blocks of size 4096. 1589842 blocks available $ file "Currency Volume Report.xlsm" Currency Volume Report.xlsm: Microsoft Excel 2007+ # share is not writable ``` ## .xlsm macro extract Using * [zeltser.com/analyzing-malicious-documents/](https://zeltser.com/analyzing-malicious-documents/) * [decalage2/oletools](https://github.com/decalage2/oletools) * `python3 -m pip install oletools` ```bash $ olevba "Currency Volume Report.xlsm" olevba 0.60 on Python 3.9.7 - http://decalage.info/python/oletools =============================================================================== FILE: Currency Volume Report.xlsm Type: OpenXML WARNING For now, VBA stomping cannot be detected for files in memory ------------------------------------------------------------------------------- VBA MACRO ThisWorkbook.cls in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ' macro to pull data for client volume reports ' ' further testing required Private Sub Connect() Dim conn As ADODB.Connection Dim rs As ADODB.Recordset Set conn = New ADODB.Connection conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume;Uid=reporting;Pwd=PcwTWTHRwryjc$c6" conn.ConnectionTimeout = 10 conn.Open If conn.State = adStateOpen Then ' MsgBox "connection successful" 'Set rs = conn.Execute("SELECT * @@version;") Set rs = conn.Execute("SELECT * FROM volume;") Sheets(1).Range("A1").CopyFromRecordset rs rs.Close End If End Sub ------------------------------------------------------------------------------- VBA MACRO Sheet1.cls in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1' - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (empty macro) +----------+--------------------+---------------------------------------------+ |Type |Keyword |Description | +----------+--------------------+---------------------------------------------+ |Suspicious|Open |May open a file | |Suspicious|Hex Strings |Hex-encoded strings were detected, may be | | | |used to obfuscate strings (option --decode to| | | |see all) | +----------+--------------------+---------------------------------------------+ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/querier/2-smb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.