InfoSec LAB

Craft2_SMB

Created: 3 min read

SMB

Nmap discovered a Windows Directory server on the port 445 of the 192.168.103.188 host.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ nmap -Pn --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-04 18:14 CEST
Nmap scan report for 192.168.103.188
Host is up (0.020s latency).
 
PORT    STATE    SERVICE       VERSION
139/tcp filtered netbios-ssn
445/tcp open     microsoft-ds?
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.38 seconds

Share mapping failed.

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ nxc smb $IP -u 'blah' -p 'blah' --shares --interfaces  
SMB         192.168.103.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB         192.168.103.188 445    CRAFT2           [-] CRAFT2\blah:blah STATUS_LOGON_FAILURE 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces  
SMB         192.168.103.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB         192.168.103.188 445    CRAFT2           [-] CRAFT2\: STATUS_ACCESS_DENIED 
SMB         192.168.103.188 445    CRAFT2           [-] Error enumerating shares: Error occurs while reading from remote(104)

The target SMB server does not allow both guest and anonymous accesses.

thecybergeek Session

The credential of the thecybergeek user was leaked through the phishing attack, and cracked at a later stage.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ nxc smb $IP -u 'thecybergeek' -p 'winniethepooh' --shares --interfaces 
SMB         192.168.103.188 445    CRAFT2           [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB         192.168.103.188 445    CRAFT2           [+] CRAFT2\thecybergeek:winniethepooh 
SMB         192.168.103.188 445    CRAFT2           [*] Enumerated shares
SMB         192.168.103.188 445    CRAFT2           Share           Permissions     Remark
SMB         192.168.103.188 445    CRAFT2           -----           -----------     ------
SMB         192.168.103.188 445    CRAFT2           ADMIN$                          Remote Admin
SMB         192.168.103.188 445    CRAFT2           C$                              Default share
SMB         192.168.103.188 445    CRAFT2           IPC$            READ            Remote IPC
SMB         192.168.103.188 445    CRAFT2           WebApp          READ,WRITE

Successfully authenticated. WebApp share is the only none default share and the thecybergeek user has both read and write accesses.

WebApp Share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ smbclient //craft.offsec/WebApp -U 'thecybergeek%winniethepooh'     
lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jul  4 18:59:49 2025
  ..                                  D        0  Fri Jul  4 18:59:49 2025
  assets                              D        0  Tue Apr  5 18:16:03 2022
  css                                 D        0  Tue Apr  5 18:16:03 2022
  index.php                           A     9768  Mon Jan 31 17:21:52 2022
  js                                  D        0  Tue Apr  5 18:16:03 2022
  upload.php                          A      896  Mon Jan 31 16:23:02 2022
  uploads                             D        0  Fri Jul  4 18:52:08 2025
 
		10327807 blocks of size 4096. 1587950 blocks available

This appears to be the web root directory. Code execution is possible via uploading a malicious PHP file to the WebApp share.

Interactive Graph View

Backlinks