I did Coming Soon, Method and Breakout from HackMyVM, but I really only want to write about Breakout, and only one specific part of it.

SMB

The box relies on obtaining a username via SMB enumeration. You should be able to do it with enum4linux, but that’s not working for me and hasn’t been for some time:

┌──(root💀kali)-[/opt/hackmyvm/breakout]
└─# enum4linux -a 10.10.10.48                                 
ERROR: nmblookup is not in your path.  Check that samba package is installed
ERROR: net is not in your path.  Check that samba package is installed
ERROR: rpcclient is not in your path.  Check that samba package is installed
ERROR: smbclient is not in your path.  Check that samba package is installed
WARNING: polenum is not in your path.  Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path.  Check that package is installed and your PATH is sane.
For Gentoo, you need to install the "samba" package
For Debian, you need to install the "smbclient" package

Obviously I have the samba and smbclient packages installed already. Googling for these errors turned up some other people with the same issue but no resolution. Purging and reinstalling does not help.

enum4linux is a relatively old tool, and there is a new version called enum4linux-ng which is available here. The method we need (RID cycling) is not enabled by default:

RID cycling is not part of the default enumeration (-A) but can be enabled with -R

And sure enough:

[*] Trying to enumerate SIDs
[+] Found 3 SID(s)
[*] Trying SID S-1-22-1
[+] Found user 'Unix User\cyber' (RID 1000)
[*] Trying SID S-1-5-21-1683874020-4104641535-3793993001
[+] Found user 'BREAKOUT\nobody' (RID 501)
[+] Found domain group 'BREAKOUT\None' (RID 513)
[*] Trying SID S-1-5-32
[+] Found builtin group 'BUILTIN\Administrators' (RID 544)
[+] Found builtin group 'BUILTIN\Users' (RID 545)
[+] Found builtin group 'BUILTIN\Guests' (RID 546)
[+] Found builtin group 'BUILTIN\Power Users' (RID 547)
[+] Found builtin group 'BUILTIN\Account Operators' (RID 548)
[+] Found builtin group 'BUILTIN\Server Operators' (RID 549)
[+] Found builtin group 'BUILTIN\Print Operators' (RID 550)
[+] Found 2 user(s), 8 group(s), 0 machine(s) in total

The metasploit module auxiliary/scanner/smb/smb_lookupsid gave me nothing.

There is a tool called ridenum. It didn’t work:

┌──(root💀kali)-[/opt/hackmyvm/breakout]
└─# ridenum 10.10.10.48 500 5000 
[*] Attempting lsaquery first...This will enumerate the base domain SID
[*] Successfully enumerated base domain SID. Printing information: 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[*] Moving on to extract via RID cycling attack.. 
[*] Enumerating user accounts.. This could take a little while.
[*] RIDENUM has finished enumerating user accounts...

Like enum4linux, ridenum is a wrapper around rpcclient. The technique can be applied manually (successfully) like so - props to Krishna Upadhyay:

┌──(root💀kali)-[/opt/hackmyvm/breakout]
└─# echo; rpcclient -W '' -U ''%'' 10.10.10.48 -c 'lookupnames root'      

root S-1-22-1-0 (User: 1)
                                             
┌──(root💀kali)-[/opt/hackmyvm/breakout]
└─# for i in $(seq 1000 1005); do bash -c "rpcclient -W '' -U ''%'' 10.10.10.48 -c 'lookupsids S-1-22-1-$i'"; done    
S-1-22-1-1000 Unix User\cyber (1)
S-1-22-1-1001 Unix User\1001 (1)
S-1-22-1-1002 Unix User\1002 (1)
S-1-22-1-1003 Unix User\1003 (1)
S-1-22-1-1004 Unix User\1004 (1)
S-1-22-1-1005 Unix User\1005 (1)

The reason I think ridenum failed is that it tried lsaquery, and that didn’t help:

┌──(root💀kali)-[/opt/hackmyvm/breakout]
└─# echo; rpcclient -W '' -U ''%'' 10.10.10.48 -c 'lsaquery'                                                      
Domain Name: WORKGROUP
Domain Sid: (NULL SID)

So anyway here are a few things and tools to try to squeeze a username out of SMB on Linux.