InfoSec LAB

Frolic_SMB

Created: 2 min read

SMB

Nmap discovered a SMB server on the target port 139 and 445 The running service appears to be Samba smbd 4.3.11-Ubuntu

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
starting nmap 7.94 ( https://nmap.org ) at 2023-10-11 07:55 CEST
Nmap scan report for frolic (10.10.10.111)
Host is up (0.13s latency).
 
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn samba smbd 3.x - 4.x (workgroup: WORKGROUP)
445/tcp open  netbios-ssn samba smbd 3.x - 4.x (workgroup: WORKGROUP)
 
host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.10.111\ipc$: 
|     type: STYPE_IPC_HIDDEN
|     comment: IPC Service (frolic server (Samba, Ubuntu))
|     users: 1
|     max users: <unlimited>
|     path: C:\tmp
|     anonymous access: READ/WRITE
|     current user access: READ/WRITE
|   \\10.10.10.111\print$: 
|     type: STYPE_DISKTREE
|     comment: Printer Drivers
|     users: 0
|     max users: <unlimited>
|     path: C:\var\lib\samba\printers
|     anonymous access: <none>
|_    current user access: <none>
 
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 29.94 seconds

Additional Nmap scan revealed that the SMB server hosts 2 Samba shares; //FROLIC/IPC$ and //FROLIC/print$ While only the //FROLIC/IPC$ share appear to allow anonymous access, the //FROLIC/print$ share doesn’t Interestingly, the comment in the //FROLIC/print$ share suggests that the share might be for printer drivers

Provided, those 2 Samba shares are mapped to the following directories;

  • //frolic/ipc$: /tmp
  • //frolic/print$: /var/lib/samba/printers

Null Session

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ smbmap -H $IP -u '' -p ''
 
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[+] IP: 10.10.10.111:445	Name: frolic              	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	IPC$                                              	NO ACCESS	IPC Service (frolic server (Samba, Ubuntu))

smbmap shows that both share aren’t accessible

//FROLIC/IPC$

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ smbclient //FROLIC/IPC$  
password for [workgroup\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

The //FROLIC/IPC$ share appear to be empty

smb: \> mkdir test
NT_STATUS_OBJECT_NAME_NOT_FOUND making remote directory \test

The share doesn’t allow writing

enum4linux

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Oct 11 08:13:16 2023

Executing enum4linux

Leveraging the RID Cycling technique, 2 valid system users have been enumerated;

  • sahay
  • ayush

No information regarding printers

Interactive Graph View

Backlinks