Samba
Nmap discovered a Samba server on the target port 445
The running service is Samba smbd 4.7.6-Ubuntu
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ nmap --script smb-enum-shares -sV -p445 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-05 15:08 CET
Nmap scan report for 192.168.163.145
Host is up (0.023s latency).
PORT STATE SERVICE VERSION
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: APEX
Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.168.163.145\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (APEX server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.163.145\docs:
| Type: STYPE_DISKTREE
| Comment: Documents
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\www\html\source\Documents
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.163.145\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.63 secondsShares mapping complete The target Samba server allows null session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces
SMB 192.168.163.145 445 APEX [*] Unix - Samba (name:APEX) (domain:) (signing:False) (SMBv1:True)
SMB 192.168.163.145 445 APEX [+] \: (Guest)
SMB 192.168.163.145 445 APEX [*] Enumerated shares
SMB 192.168.163.145 445 APEX Share Permissions Remark
SMB 192.168.163.145 445 APEX ----- ----------- ------
SMB 192.168.163.145 445 APEX print$ Printer Drivers
SMB 192.168.163.145 445 APEX docs READ Documents
SMB 192.168.163.145 445 APEX IPC$ IPC Service (APEX server (Samba, Ubuntu))The docs share is the only none default share
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Feb 5 15:07:31 2025
=========================================( Target Information )=========================================
Target ........... 192.168.163.145
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
==========================( Enumerating Workgroup/Domain on 192.168.163.145 )==========================
[E] Can't find workgroup/domain
==============================( Nbtstat Information for 192.168.163.145 )==============================
Looking up status of 192.168.163.145
No reply from 192.168.163.145
==================================( Session Check on 192.168.163.145 )==================================
[+] Server 192.168.163.145 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.163.145 )===============================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=================================( OS information on 192.168.163.145 )=================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.163.145 from srvinfo:
APEX Wk Sv PrQ Unx NT SNT APEX server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
======================================( Users on 192.168.163.145 )======================================
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
================================( Share Enumeration on 192.168.163.145 )================================
do_connect: Connection to 192.168.163.145 failed (Error NT_STATUS_IO_TIMEOUT)
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
docs Disk Documents
IPC$ IPC IPC Service (APEX server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.163.145
//192.168.163.145/print$ Mapping: DENIED Listing: N/A Writing: N/A
testing write access docs
//192.168.163.145/docs Mapping: OK Listing: OK Writing: DENIED
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.163.145/IPC$ Mapping: N/A Listing: N/A Writing: N/A
==========================( Password Policy Information for 192.168.163.145 )==========================
[+] Attaching to 192.168.163.145 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: [Errno Connection error (192.168.163.145:139)] timed out
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] APEX
[+] Builtin
[+] Password Info for Domain: APEX
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=====================================( Groups on 192.168.163.145 )=====================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.163.145 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\white (Local User)
[+] Enumerating users using SID S-1-5-21-2882148051-151560589-3722729970 and logon username '', password ''
S-1-5-21-2882148051-151560589-3722729970-501 APEX\nobody (Local User)
S-1-5-21-2882148051-151560589-3722729970-513 APEX\None (Domain Group)
==============================( Getting printer info for 192.168.163.145 )==============================
No printers returned.
enum4linux complete on Wed Feb 5 15:10:13 2025N/A
Null Session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ smbclient //$IP/docs
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Apr 9 17:47:12 2021
.. D 0 Fri Apr 9 17:47:12 2021
OpenEMR Success Stories.pdf A 290738 Fri Apr 9 17:47:12 2021
OpenEMR Features.pdf A 490355 Fri Apr 9 17:47:12 2021
16446332 blocks of size 1024. 10835284 blocks availableThere are 2 PDF files about an open source medical practice management software in the docs share
Those are likely relevant to the target web application as it is a website for a hospital
docs Share
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ smbget smb://$IP/docs -U '' -N -e --recursive
Using guest user
Encryption required and setup failed with error NT_STATUS_INVALID_PARAMETER_MIX.
Using guest user
smb://192.168.163.145/docs/OpenEMR Success Stories.pdf
Using guest user
smb://192.168.163.145/docs/OpenEMR Features.pdf
Downloaded 762.79kB in 1 secondsDownloading
OpenEMR Success Stories.pdf
/Practice/Apex/2-Enumeration/attachments/{9347FB9B-DD79-4F97-8340-0B955BCB6E8C}.png)
The OpenEMR Success Stories.pdf file is a 4-pages long PDF file, outlining success story of an open source medical practice management software, OpenEMR
No notable information found
Metadata
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ exiftool -a OpenEMR\ Success\ Stories.pdf
ExifTool Version Number : 13.10
File Name : OpenEMR Success Stories.pdf
Directory : .
File Size : 291 kB
File Modification Date/Time : 2025:02:05 15:14:25+01:00
File Access Date/Time : 2025:02:05 15:15:19+01:00
File Inode Change Date/Time : 2025:02:05 15:14:25+01:00
File Permissions : -rwxr-xr-x
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 4
Tagged PDF : Yes
Creator : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Producer : Skia/PDF m89
Create Date : 2021:04:03 14:24:24+00:00
Modify Date : 2021:04:03 14:24:24+00:00N/A
OpenEMR Features.pdf
/Practice/Apex/2-Enumeration/attachments/{20E337E2-F58A-432D-8B07-AC525F5DE9A6}.png)
The OpenEMR Features.pdf file is a 5-pages long PDF file, showcasing its feature
Metadata
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex/smb]
└─$ exiftool -a OpenEMR\ Features.pdf
ExifTool Version Number : 13.10
File Name : OpenEMR Features.pdf
Directory : .
File Size : 490 kB
File Modification Date/Time : 2025:02:05 15:14:25+01:00
File Access Date/Time : 2025:02:05 15:19:45+01:00
File Inode Change Date/Time : 2025:02:05 15:14:25+01:00
File Permissions : -rwxr-xr-x
File Type : PDF
File Type Extension : pdf
MIME Type : application/pdf
PDF Version : 1.4
Linearized : No
Page Count : 5
Creator : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Producer : Skia/PDF m89
Create Date : 2021:04:03 14:23:32+00:00
Modify Date : 2021:04:03 14:23:32+00:00N/A