Samba
Nmap [[Stapler_Recon#|discovered]] a Samba server on the target port 139
The running service is Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-28 20:56 CEST
Nmap scan report for 192.168.239.148
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp filtered microsoft-ds
Service Info: Host: RED
Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.168.239.148\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (red server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.239.148\kathy:
| Type: STYPE_DISKTREE
| Comment: Fred, What are we doing here?
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\samba\
| Anonymous access: READ
| Current user access: READ
| \\192.168.239.148\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
| Current user access: <none>
| \\192.168.239.148\tmp:
| Type: STYPE_DISKTREE
| Comment: All temporary files should be stored here
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\tmp
| Anonymous access: READ/WRITE
|_ Current user access: READ/WRITE
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.27 secondsShare mapping successful The target Samba serve allows guest access
Null Session
└─$ nxc smb $IP -u '' -p '' --shares --interfaces --port 139
SMB 192.168.239.148 139 RED [*] Unix - Samba (name:RED) (domain:) (signing:False) (SMBv1:True)
SMB 192.168.239.148 139 RED [+] \: (Guest)
SMB 192.168.239.148 139 RED [*] Enumerated shares
SMB 192.168.239.148 139 RED Share Permissions Remark
SMB 192.168.239.148 139 RED ----- ----------- ------
SMB 192.168.239.148 139 RED print$ Printer Drivers
SMB 192.168.239.148 139 RED kathy READ Fred, What are we doing here?
SMB 192.168.239.148 139 RED tmp READ,WRITE All temporary files should be stored here
SMB 192.168.239.148 139 RED IPC$ IPC Service (red server (Samba, Ubuntu))Guest access has:
- both read and write access to the
tmpshare - read access to the
kathyshare
Possible username disclosures; kathy and fred
tmp Share
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ smbclient //$IP/tmp
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> put test
putting file test as \test (0.0 kb/s) (average 0.0 kb/s)
smb: \> ls
. D 0 Mon Apr 28 21:06:21 2025
.. D 0 Mon Jun 6 23:39:56 2016
test A 0 Mon Apr 28 21:06:21 2025
ls N 274 Sun Jun 5 17:32:58 2016
19478204 blocks of size 1024. 16129008 blocks availableAs expected, write access is granted
There is a file, ls, in the tmp share
ls
smb: \> more ls
getting file \ls of size 274 as /tmp/smbmore.9NYtB9 (2.6 KiloBytes/sec) (average 2.6 KiloBytes/sec)
.:
total 12.0K
drwxrwxrwt 2 root root 4.0K Jun 5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun 3 22:06 ..
-rw-r--r-- 1 root root 0 Jun 5 16:32 ls
drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
smb: \> allinfo ls
altname: ls
create_time: Sun Jun 5 17:32:59 2016 CEST
access_time: Mon Apr 28 21:01:12 2025 CEST
write_time: Sun Jun 5 17:32:59 2016 CEST
change_time: Sun Jun 5 17:32:59 2016 CEST
attributes: (80)
stream: [::$DATA], 274 bytes
NT_STATUS_INVALID_DEVICE_REQUEST getting shadow copy data for \ls?
kathy Share
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ smbclient //$IP/kathy
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jun 3 18:52:52 2016
.. D 0 Mon Jun 6 23:39:56 2016
kathy_stuff D 0 Sun Jun 5 17:02:27 2016
backup D 0 Sun Jun 5 17:04:14 2016
19478204 blocks of size 1024. 16129008 blocks available
2 directories present in the kathy share; kathy_stuff and backup
kathy_stuff Directory
smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
. D 0 Sun Jun 5 17:02:27 2016
.. D 0 Fri Jun 3 18:52:52 2016
todo-list.txt N 64 Sun Jun 5 17:02:27 2016
19478204 blocks of size 1024. 16129008 blocks available
smb: \kathy_stuff\> more todo-list.txt
getting file \kathy_stuff\todo-list.txt of size 64 as /tmp/smbmore.FGGVTy (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
I'm making sure to backup anything important for Initech, KathyThe kathy_stuff directory contains a file; todo-list.txt
backup for Initech
backup Directory
smb: \> cd backup\
smb: \backup\> ls
. D 0 Sun Jun 5 17:04:14 2016
.. D 0 Fri Jun 3 18:52:52 2016
vsftpd.conf N 5961 Sun Jun 5 17:03:45 2016
wordpress-4.tar.gz N 6321767 Mon Apr 27 19:14:46 2015
19478204 blocks of size 1024. 16129008 blocks availableThe backup directory contains a vsfptd configuration file and what appears to be a backup archive for WordPress
vsftpd.conf
smb: \backup\> get vsftpd.conf
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (52.9 KiloBytes/sec) (average 27.5 KiloBytes/sec)Downloading the file
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler/smb]
└─$ cat vsftpd.conf | grep -v '^#'
listen=YES
listen_ipv6=NO
anonymous_enable=YES
anon_root=/var/ftp/anonymous
local_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
banner_file=/etc/vsftpd.banner
chroot_local_user=YES
userlist_enable=YES
local_root=/etc
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
pasv_enable=noNothing notable
wordpress-4.tar.gz
smb: \backup\> get wordpress-4.tar.gz
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (3531.8 KiloBytes/sec) (average 3149.6 KiloBytes/sec)Downloading the file
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler/smb]
└─$ tar -xf wordpress-4.tar.gz
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler/smb]
└─$ cd wordpress ; ls
index.php wp-activate.php wp-comments-post.php wp-cron.php wp-load.php wp-settings.php xmlrpc.php
license.txt wp-admin wp-config-sample.php wp-includes wp-login.php wp-signup.php
readme.html wp-blog-header.php wp-content wp-links-opml.php wp-mail.php wp-trackback.phpThis is indeed a WordPress instance
However, the wp-config.php file is missing
enum4linux
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/stapler]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Apr 28 20:59:54 2025
=========================================( Target Information )=========================================
Target ........... 192.168.239.148
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on 192.168.239.148 )==========================
[+] Got domain/workgroup name: WORKGROUP
==============================( Nbtstat Information for 192.168.239.148 )==============================
Looking up status of 192.168.239.148
RED <00> - H <ACTIVE> Workstation Service
RED <03> - H <ACTIVE> Messenger Service
RED <20> - H <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - H <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> H <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
==================================( Session Check on 192.168.239.148 )==================================
[+] Server 192.168.239.148 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.239.148 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=================================( OS information on 192.168.239.148 )=================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.239.148 from srvinfo:
RED Wk Sv PrQ Unx NT SNT red server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.239.148 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.239.148 )================================
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 192.168.239.148
//192.168.239.148/print$ Mapping: DENIED Listing: N/A Writing: N/A
testing write access kathy
//192.168.239.148/kathy Mapping: OK Listing: OK Writing: DENIED
testing write access tmp
[E] rmdir command returned the following:
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
//192.168.239.148/tmp Mapping: OK Listing: OK Writing: OK
[E] Can't understand response:
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.239.148/IPC$ Mapping: N/A Listing: N/A Writing: N/A
==========================( Password Policy Information for 192.168.239.148 )==========================
[+] Attaching to 192.168.239.148 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] RED
[+] Builtin
[+] Password Info for Domain: RED
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=====================================( Groups on 192.168.239.148 )=====================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.239.148 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-864226560-67800430-3082388513 and logon username '', password ''
S-1-5-21-864226560-67800430-3082388513-501 RED\nobody (Local User)
S-1-5-21-864226560-67800430-3082388513-513 RED\None (Domain Group)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
==============================( Getting printer info for 192.168.239.148 )==============================
No printers returned.
enum4linux complete on Mon Apr 28 21:02:07 202530 users found.