NetExec
NetExec copied to clipboard
Published
20 hours ago •
Pennyw0rth
Pennyw0rth
SMB: incorrect share permissions
Describe the bug Working on Proving Grounds machine Craft2 from Offsec , I encountered a situation when NetExec reported share permissions as READ only, even though WRITE was allowed (and actually required for exploitation).
To Reproduce List SMB shares:
┌──(kali㉿kali)-[~/craft2]
└─$ nxc smb 192.168.229.188 -u thecybergeek -p winniethepooh --shares
SMB 192.168.229.188 445 CRAFT2 [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB 192.168.229.188 445 CRAFT2 [+] CRAFT2\thecybergeek:winniethepooh
SMB 192.168.229.188 445 CRAFT2 [*] Enumerated shares
SMB 192.168.229.188 445 CRAFT2 Share Permissions Remark
SMB 192.168.229.188 445 CRAFT2 ----- ----------- ------
SMB 192.168.229.188 445 CRAFT2 ADMIN$ Remote Admin
SMB 192.168.229.188 445 CRAFT2 C$ Default share
SMB 192.168.229.188 445 CRAFT2 IPC$ READ Remote IPC
SMB 192.168.229.188 445 CRAFT2 WebApp READ
Share WebApp has only permission READ listed. We can however upload a file in this share:
┌──(kali㉿kali)-[~/craft2]
└─$ echo test > test.txt
┌──(kali㉿kali)-[~/craft2]
└─$ nxc smb 192.168.229.188 -u thecybergeek -p winniethepooh --share WebApp --put-file test.txt '\\test.txt'
SMB 192.168.229.188 445 CRAFT2 [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB 192.168.229.188 445 CRAFT2 [+] CRAFT2\thecybergeek:winniethepooh
SMB 192.168.229.188 445 CRAFT2 [*] Copying test.txt to \\test.txt
SMB 192.168.229.188 445 CRAFT2 [+] Created file test.txt on \\WebApp\\\test.txt
┌──(kali㉿kali)-[~/craft2]
└─$ nxc smb 192.168.229.188 -u thecybergeek -p winniethepooh --share WebApp --get-file '\\test.txt' verify.txt
SMB 192.168.229.188 445 CRAFT2 [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
SMB 192.168.229.188 445 CRAFT2 [+] CRAFT2\thecybergeek:winniethepooh
SMB 192.168.229.188 445 CRAFT2 [*] Copying "\\test.txt" to "verify.txt"
SMB 192.168.229.188 445 CRAFT2 [+] File "\\test.txt" was downloaded to "verify.txt"
┌──(kali㉿kali)-[~/craft2]
└─$ cat verify.txt
test
Expected behavior Correctly recognize share permissions.
NetExec info
- OS: Kali
- Version of nxc: 1.1.0
- Installed from: github (
pipx install git+https://github.com/Pennyw0rth/NetExec
@tstdin I don't have an Offsec subscription, is this something you are able to assist us with fixing?
@Marshall-Hallenbeck Yes, I can try. Let me know what information would help.
@tstdin Are you able to create a folder inside the WebApp share, or just a file?
I also noticed that the output for fetching a file doesn't prepend the share name, so we should probably fix that as well.
Yes, creating folder works fine.
$ smbclient -U thecybergeek \\\\192.168.229.188\\WebApp
Password for [WORKGROUP\thecybergeek]:
smb: \> mkdir test
smb: \> cd test
smb: \test\> put test.txt
putting file test.txt as \test\test.txt (0.1 kb/s) (average 0.1 kb/s)
smb: \test\> ls
. D 0 Sat Feb 17 16:00:25 2024
.. D 0 Sat Feb 17 16:00:25 2024
test.txt A 5 Sat Feb 17 16:00:25 2024
That is indeed weird, netexec checks the read/write permissions with listing and creating/deleting a folder. Can you provide an output with nxc --debug?
$ nxc --debug smb 192.168.229.188 -u thecybergeek -p winniethepooh --shares
[19:04:34] DEBUG PYTHON VERSION: 3.11.7 (main, Dec 8 2023, 14:22:46) [GCC 13.2.0] netexec.py:89
DEBUG RUNNING ON: Linux Release: 6.6.9-amd64 netexec.py:90
DEBUG Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, netexec.py:91
protocol='smb', target=['192.168.229.188'], cred_id=[], username=['thecybergeek'], password=['winniethepooh'],
ignore_pw_decoding=False, kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None,
aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[],
list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None,
connectback_host=None, hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$',
smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None,
pvk=None, enabled=False, userntds=None, shares=True, no_write_check=False, filter_shares=None, sessions=False, disks=False,
loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None, pass_pol=False,
rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='',
pattern=None, regex=None, depth=None, only_files=False, put_file=None, get_file=None, append_host=False, exec_method=None,
dcom_timeout=5, get_output_tries=5, codec='utf-8', force_ps32=False, no_output=False, execute=None, ps_execute=None,
obfs=False, amsi_bypass=None, clear_obfscripts=False)
DEBUG Protocol: smb netexec.py:145
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py netexec.py:148
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py netexec.py:150
DEBUG Protocol Object: <class 'protocol.smb'> netexec.py:153
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:155
DEBUG DB Path: /home/kali/.nxc/workspaces/default/smb.db netexec.py:158
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Creating ThreadPoolExecutor netexec.py:47
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:50
INFO Socket info: host=192.168.229.188, hostname=192.168.229.188, kerberos=False, ipv6=False, link-local ipv6=False connection.py:104
DEBUG Kicking off proto_flow connection.py:164
INFO Error creating SMBv1 connection to 192.168.229.188: Error occurs while reading from remote(104) smb.py:487
DEBUG Created connection object connection.py:167
DEBUG Update Hosts: [{'id': 3, 'ip': '192.168.229.188', 'hostname': 'CRAFT2', 'domain': 'CRAFT2', 'os': 'Windows 10 / Server 2019 database.py:280
Build 17763', 'dc': None, 'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
DEBUG add_host() - Host IDs Updated: [3] database.py:290
DEBUG Error logging off system: Error occurs while reading from remote(104) smb.py:246
SMB 192.168.229.188 445 CRAFT2 [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
INFO SMB 192.168.229.188 445 CRAFT2 [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) logger.py:121
(domain:CRAFT2) (signing:False) (SMBv1:False)
DEBUG Trying to authenticate using plaintext with domain connection.py:407
INFO Error creating SMBv1 connection to 192.168.229.188: Error occurs while reading from remote(104) smb.py:487
[19:04:35] DEBUG Adding credential: CRAFT2/thecybergeek:winniethepooh smb.py:365
DEBUG Adding credentials: [{'id': 2, 'domain': 'CRAFT2', 'username': 'thecybergeek', 'password': 'winniethepooh', 'credtype': database.py:347
'plaintext', 'pillaged_from_hostid': None}]
DEBUG smb hosts() - results: [(3, '192.168.229.188', 'CRAFT2', 'CRAFT2', 'Windows 10 / Server 2019 Build 17763', None, False, database.py:495
False, None, None, None)]
SMB 192.168.229.188 445 CRAFT2 [+] CRAFT2\thecybergeek:winniethepooh
INFO SMB 192.168.229.188 445 CRAFT2 [+] CRAFT2\thecybergeek:winniethepooh logger.py:121
DEBUG Calling command arguments connection.py:174
DEBUG Calling shares() connection.py:195
DEBUG domain: CRAFT2 smb.py:703
[19:04:36] INFO Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7fddeb67fcd0>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object smb.py:711
at 0x7fddeb67fe50>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7fddeb67ffd0>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1
object at 0x7fddeb68c190>]
DEBUG Error checking READ access on share: STATUS_ACCESS_DENIED smb.py:739
DEBUG Error checking WRITE access on share: STATUS_ACCESS_DENIED smb.py:749
DEBUG Error checking READ access on share: STATUS_ACCESS_DENIED smb.py:739
DEBUG Error checking WRITE access on share: STATUS_ACCESS_DENIED smb.py:749
DEBUG Error checking WRITE access on share: STATUS_PRIVILEGE_NOT_HELD smb.py:749
DEBUG Error checking WRITE access on share: STATUS_ACCESS_DENIED smb.py:749
SMB 192.168.229.188 445 CRAFT2 [*] Enumerated shares
INFO SMB 192.168.229.188 445 CRAFT2 [*] Enumerated shares logger.py:121
SMB 192.168.229.188 445 CRAFT2 Share Permissions Remark
INFO SMB 192.168.229.188 445 CRAFT2 Share Permissions Remark logger.py:121
SMB 192.168.229.188 445 CRAFT2 ----- ----------- ------
INFO SMB 192.168.229.188 445 CRAFT2 ----- ----------- ------ logger.py:121
SMB 192.168.229.188 445 CRAFT2 ADMIN$ Remote Admin
INFO SMB 192.168.229.188 445 CRAFT2 ADMIN$ Remote Admin logger.py:121
SMB 192.168.229.188 445 CRAFT2 C$ Default share
INFO SMB 192.168.229.188 445 CRAFT2 C$ Default share logger.py:121
SMB 192.168.229.188 445 CRAFT2 IPC$ READ Remote IPC
INFO SMB 192.168.229.188 445 CRAFT2 IPC$ READ Remote IPC logger.py:121
SMB 192.168.229.188 445 CRAFT2 WebApp READ
INFO SMB 192.168.229.188 445 CRAFT2 WebApp READ logger.py:121
Could it be, that you are using an account that is local admin and try to create a directory/file in a place where you would need Admin privileges, so UAC is preventing the write access?
That would not explain why smbclient is able to do it tho.
Adding more context.
User:
PS C:\xampp\htdocs> whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
=================== ============================================
craft2\thecybergeek S-1-5-21-537427935-490066102-1511301751-1001
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Upload directory permissions:
PS C:\xampp\htdocs> icacls .
icacls .
. CRAFT2\apache:(OI)(CI)(F)
CRAFT2\apache:(I)(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(AD)
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
$ smbclient -d 5 -U thecybergeek \\\\192.168.229.188\\WebApp
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 5
tdb: 5
printdrivers: 5
lanman: 5
smb: 5
rpc_parse: 5
rpc_srv: 5
rpc_cli: 5
passdb: 5
sam: 5
auth: 5
winbind: 5
vfs: 5
idmap: 5
quota: 5
acls: 5
locking: 5
msdfs: 5
dmapi: 5
registry: 5
scavenger: 5
dns: 5
ldb: 5
tevent: 5
auth_audit: 5
auth_json_audit: 5
kerberos: 5
drs_repl: 5
smb2: 5
smb2_credits: 5
dsdb_audit: 5
dsdb_json_audit: 5
dsdb_password_audit: 5
dsdb_password_json_audit: 5
dsdb_transaction_audit: 5
dsdb_transaction_json_audit: 5
dsdb_group_audit: 5
dsdb_group_json_audit: 5
Processing section "[global]"
doing parameter client min protocol = LANMAN1
doing parameter workgroup = WORKGROUP
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
added interface eth0 ip=192.168.124.56 bcast=192.168.124.255 netmask=255.255.255.0
Password for [WORKGROUP\thecybergeek]:
Client started (version 4.19.4-Debian).
Connecting to 192.168.229.188 at port 445
Connecting to 192.168.229.188 at port 139
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=46080, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[192.168.229.188]
cli_session_setup_spnego_send: Connect to 192.168.229.188 as thecybergeek@WORKGROUP using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
Cannot do GSE to an IP address
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
Starting GENSEC submechanism ntlmssp
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
session setup ok
signed SMB2 message (sign_algo_id=1)
signed SMB2 message (sign_algo_id=1)
tconx ok
Try "help" to get a list of possible commands.
smb: \>
Additional details:
PS C:\> Get-SmbServerConfiguration
AnnounceComment :
AnnounceServer : False
AsynchronousCredits : 512
AuditSmb1Access : False
AutoDisconnectTimeout : 15
AutoShareServer : True
AutoShareWorkstation : True
CachedOpenLimit : 10
DurableHandleV2TimeoutInSeconds : 180
EnableAuthenticateUserSharing : False
EnableDownlevelTimewarp : False
EnableForcedLogoff : True
EnableLeasing : True
EnableMultiChannel : True
EnableOplocks : True
EnableSecuritySignature : False
EnableSMB1Protocol : False
EnableSMB2Protocol : True
EnableStrictNameChecking : True
EncryptData : False
IrpStackSize : 15
KeepAliveTime : 2
MaxChannelPerSession : 32
MaxMpxCount : 50
MaxSessionPerConnection : 16384
MaxThreadsPerQueue : 20
MaxWorkItems : 1
NullSessionPipes :
NullSessionShares :
OplockBreakWait : 35
PendingClientTimeoutInSeconds : 120
RejectUnencryptedAccess : True
RequireSecuritySignature : False
ServerHidden : True
Smb2CreditsMax : 8192
Smb2CreditsMin : 512
SmbServerNameHardeningLevel : 0
TreatHostAsStableStorage : False
ValidateAliasNotCircular : True
ValidateShareScope : True
ValidateShareScopeNotAliased : True
ValidateTargetName : True
PS C:\> Get-SmbShare
Name ScopeName Path Description
---- --------- ---- -----------
ADMIN$ * C:\Windows Remote Admin
C$ * C:\ Default share
IPC$ * Remote IPC
WebApp * C:\xampp\htdocs
PS C:\> Get-SmbShare -Name "WebApp" |Format-List -Property *
PresetPathAcl : System.Security.AccessControl.DirectorySecurity
ShareState : Online
AvailabilityType : NonClustered
ShareType : FileSystemDirectory
FolderEnumerationMode : Unrestricted
CachingMode : Manual
LeasingMode : Full
SmbInstance : Default
CATimeout : 0
ConcurrentUserLimit : 0
ContinuouslyAvailable : False
CurrentUsers : 1
Description :
EncryptData : False
IdentityRemoting : False
Infrastructure : False
Name : WebApp
Path : C:\xampp\htdocs
Scoped : False
ScopeName : *
SecurityDescriptor : O:SYG:SYD:(A;;FA;;;BA)(A;;0x1301bf;;;BU)
ShadowCopy : False
Special : False
Temporary : False
Volume : \\?\Volume{1035ea41-fdc8-4bce-b377-1a91433daebb}\
PSComputerName :
CimClass : ROOT/Microsoft/Windows/SMB:MSFT_SmbShare
CimInstanceProperties : {AvailabilityType, CachingMode, CATimeout, ConcurrentUserLimit...}
CimSystemProperties : Microsoft.Management.Infrastructure.CimSystemProperties
PS C:\> Get-Acl -Path C:\xampp\htdocs | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::C:\xampp\htdocs
Owner : BUILTIN\Administrators
Group : CRAFT2\None
Access : CRAFT2\apache Allow FullControl
CRAFT2\apache Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow AppendData
BUILTIN\Users Allow CreateFiles
CREATOR OWNER Allow 268435456
Audit :
Sddl : O:BAG:S-1-5-21-537427935-490066102-1511301751-513D:AI(A;OICI;FA;;;S-1-5-21-537427935-490066102-1511301751-1000
)(A;OICIID;FA;;;S-1-5-21-537427935-490066102-1511301751-1000)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1
200a9;;;BU)(A;CIID;LC;;;BU)(A;CIID;DC;;;BU)(A;OICIIOID;GA;;;CO)
I think I understand why, can you delete the directory you just created ?
We check if you can create and delete, but if delete fails, then it's like create didn't work either
try:
self.conn.createDirectory(share_name, temp_dir)
self.conn.deleteDirectory(share_name, temp_dir)
write = True
share_info["access"].append("WRITE")
except SessionError as e:
error = get_error_string(e)
self.logger.debug(f"Error checking WRITE access on share: {error}")
So my guess, you can create but not delete which seem about what we saw on the get acl output
BUILTIN\Users Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow AppendData
BUILTIN\Users Allow CreateFiles
So yep, this is a bug, congratz for the finding ! 🎉
https://github.com/Pennyw0rth/NetExec/blob/fe179b006a7bdca7887af67e60b0afe80e4fd9f2/nxc/protocols/smb.py#L743C20-L744C68
@mpgn Weirdly, I am actually able to successfully delete the directory using smbclient.
I don't think so. I can try to give you more details regarding the error, but sadly without having subscription from Offsec, you probably cannot have access to the machine :face_exhaling:
I did a small change to print more details:
[...]
INFO Creating directory \tiTVMWUhOn in share WebApp smb.py:743
DEBUG Error checking WRITE access on share: STATUS_ACCESS_DENIED smb.py:752
╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smbconnection.py:652 in createDirectory │
│ │
│ 649 │ │ :raise SessionError: if error │
│ 650 │ │ """ │
│ 651 │ │ try: │
│ ❱ 652 │ │ │ return self._SMBConnection.mkdir(shareName, pathName) │
│ 653 │ │ except (smb.SessionError, smb3.SessionError) as e: │
│ 654 │ │ │ raise SessionError(e.get_error_code(), e.get_error_packet()) │
│ 655 │
│ │
│ ╭────────────────────────────────── locals ───────────────────────────────────╮ │
│ │ pathName = '\\tiTVMWUhOn' │ │
│ │ self = <impacket.smbconnection.SMBConnection object at 0x7f0064eaca10> │ │
│ │ shareName = 'WebApp' │ │
│ ╰─────────────────────────────────────────────────────────────────────────────╯ │
│ │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smb3.py:1789 in mkdir │
│ │
│ 1786 │ │ │
│ 1787 │ │ fileId = None │
│ 1788 │ │ try: │
│ ❱ 1789 │ │ │ fileId = self.create(treeId, pathName, GENERIC_ALL, FILE_SHARE_READ | FILE_S │
│ 1790 │ │ │ │ │ │ │ │ FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, FIL │
│ 1791 │ │ finally: │
│ 1792 │ │ │ if fileId is not None: │
│ │
│ ╭───────────────────────── locals ──────────────────────────╮ │
│ │ fileId = None │ │
│ │ password = None │ │
│ │ pathName = 'tiTVMWUhOn' │ │
│ │ self = <impacket.smb3.SMB3 object at 0x7f0065d69910> │ │
│ │ shareName = 'WebApp' │ │
│ │ treeId = 9 │ │
│ ╰───────────────────────────────────────────────────────────╯ │
│ │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smb3.py:1261 in create │
│ │
│ 1258 │ │ │
│ 1259 │ │ packetID = self.sendSMB(packet) │
│ 1260 │ │ ans = self.recvSMB(packetID) │
│ ❱ 1261 │ │ if ans.isValidAnswer(STATUS_SUCCESS): │
│ 1262 │ │ │ createResponse = SMB2Create_Response(ans['Data']) │
│ 1263 │ │ │ │
│ 1264 │ │ │ openFile = copy.deepcopy(OPEN) │
│ │
│ ╭───────────────────────────────────── locals ─────────────────────────────────────╮ │
│ │ ans = <impacket.smb3structs.SMB2Packet object at 0x7f0064efd550> │ │
│ │ createContexts = None │ │
│ │ creationDisposition = 2 │ │
│ │ creationOptions = 33 │ │
│ │ desiredAccess = 268435456 │ │
│ │ fileAttributes = 0 │ │
│ │ fileEntry = { │ │
│ │ │ 'OpenTable': [], │ │
│ │ │ 'LeaseKey': b"!\x91\xd5_H\xa0@*B^\x824\xd8]\x94'", │ │
│ │ │ 'LeaseState': 0, │ │
│ │ │ 'LeaseEpoch': 0 │ │
│ │ } │ │
│ │ fileName = 'tiTVMWUhOn' │ │
│ │ impersonationLevel = 2 │ │
│ │ oplockLevel = 0 │ │
│ │ packet = <impacket.smb3structs.SMB3Packet object at 0x7f006444bb50> │ │
│ │ packetID = 91 │ │
│ │ pathName = '\\\\192.168.229.188\\tiTVMWUhOn' │ │
│ │ securityFlags = 0 │ │
│ │ self = <impacket.smb3.SMB3 object at 0x7f0065d69910> │ │
│ │ shareMode = 7 │ │
│ │ smb2Create = <impacket.smb3structs.SMB2Create object at 0x7f0064eede50> │ │
│ │ treeId = 9 │ │
│ ╰──────────────────────────────────────────────────────────────────────────────────╯ │
│ │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smb3structs.py:458 in isValidAnswer │
│ │
│ 455 │ def isValidAnswer(self, status): │
│ 456 │ │ if self['Status'] != status: │
│ 457 │ │ │ from . import smb3 │
│ ❱ 458 │ │ │ raise smb3.SessionError(self['Status'], self) │
│ 459 │ │ return True │
│ 460 │ │
│ 461 │ def __init__(self, data = None): │
│ │
│ ╭─────────────────────────────────────────── locals ───────────────────────────────────────────╮ │
│ │ self = <impacket.smb3structs.SMB2Packet object at 0x7f0064efd550> │ │
│ │ smb3 = <module 'impacket.smb3' from │ │
│ │ '/home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/sit… │ │
│ │ status = 0 │ │
│ ╰──────────────────────────────────────────────────────────────────────────────────────────────╯ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
During handling of the above exception, another exception occurred:
╭─────────────────────────────── Traceback (most recent call last) ────────────────────────────────╮
│ /home/kali/craft2/NetExec/nxc/protocols/smb.py:744 in shares │
│ │
│ 741 │ │ │ if not self.args.no_write_check: │
│ 742 │ │ │ │ try: │
│ 743 │ │ │ │ │ self.logger.info(f"Creating directory {temp_dir} in share {share_nam │
│ ❱ 744 │ │ │ │ │ self.conn.createDirectory(share_name, temp_dir) │
│ 745 │ │ │ │ │ self.logger.info(f"Deleting directory {temp_dir} in share {share_nam │
│ 746 │ │ │ │ │ self.conn.deleteDirectory(share_name, temp_dir) │
│ 747 │ │ │ │ │ write = True │
│ │
│ ╭────────────────────────────────────── locals ───────────────────────────────────────╮ │
│ │ Console = <class 'rich.console.Console'> │ │
│ │ e = SessionError() │ │
│ │ error = 'STATUS_ACCESS_DENIED' │ │
│ │ permissions = [ │ │
│ │ │ {'name': 'ADMIN$', 'remark': 'Remote Admin', 'access': []}, │ │
│ │ │ {'name': 'C$', 'remark': 'Default share', 'access': []}, │ │
│ │ │ {'name': 'IPC$', 'remark': 'Remote IPC', 'access': ['READ']} │ │
│ │ ] │ │
│ │ read = True │ │
│ │ self = <protocol.smb object at 0x7f0064eacf90> │ │
│ │ share = <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c7d0> │ │
│ │ share_info = {'name': 'WebApp', 'remark': '', 'access': ['READ']} │ │
│ │ share_name = 'WebApp' │ │
│ │ share_remark = '' │ │
│ │ shares = [ │ │
│ │ │ <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c350>, │ │
│ │ │ <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c4d0>, │ │
│ │ │ <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c650>, │ │
│ │ │ <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f006451c7d0> │ │
│ │ ] │ │
│ │ temp_dir = '\\tiTVMWUhOn' │ │
│ │ user_id = 2 │ │
│ │ write = False │ │
│ ╰─────────────────────────────────────────────────────────────────────────────────────╯ │
│ │
│ /home/kali/.cache/pypoetry/virtualenvs/netexec-cOeBu7w8-py3.11/lib/python3.11/site-packages/impa │
│ cket/smbconnection.py:654 in createDirectory │
│ │
│ 651 │ │ try: │
│ 652 │ │ │ return self._SMBConnection.mkdir(shareName, pathName) │
│ 653 │ │ except (smb.SessionError, smb3.SessionError) as e: │
│ ❱ 654 │ │ │ raise SessionError(e.get_error_code(), e.get_error_packet()) │
│ 655 │ │
│ 656 │ def deleteDirectory(self, shareName, pathName): │
│ 657 │ │ """ │
│ │
│ ╭────────────────────────────────── locals ───────────────────────────────────╮ │
│ │ pathName = '\\tiTVMWUhOn' │ │
│ │ self = <impacket.smbconnection.SMBConnection object at 0x7f0064eaca10> │ │
│ │ shareName = 'WebApp' │ │
│ ╰─────────────────────────────────────────────────────────────────────────────╯ │
╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
SessionError: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
SMB 192.168.229.188 445 CRAFT2 [*] Enumerated shares
INFO SMB 192.168.229.188 445 CRAFT2 [*] Enumerated shares logger.py:121
SMB 192.168.229.188 445 CRAFT2 Share Permissions Remark
INFO SMB 192.168.229.188 445 CRAFT2 Share Permissions Remark logger.py:121
SMB 192.168.229.188 445 CRAFT2 ----- ----------- ------
INFO SMB 192.168.229.188 445 CRAFT2 ----- ----------- ------ logger.py:121
SMB 192.168.229.188 445 CRAFT2 ADMIN$ Remote Admin
INFO SMB 192.168.229.188 445 CRAFT2 ADMIN$ Remote Admin logger.py:121
SMB 192.168.229.188 445 CRAFT2 C$ Default share
INFO SMB 192.168.229.188 445 CRAFT2 C$ Default share logger.py:121
SMB 192.168.229.188 445 CRAFT2 IPC$ READ Remote IPC
INFO SMB 192.168.229.188 445 CRAFT2 IPC$ READ Remote IPC logger.py:121
SMB 192.168.229.188 445 CRAFT2 WebApp READ
INFO SMB 192.168.229.188 445 CRAFT2 WebApp READ logger.py:121
I did more testing with Impacket and found out it cannot create a directory in the share:
$ impacket-smbclient CRAFT2/thecybergeek:[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# shares
ADMIN$
C$
IPC$
WebApp
# use WebApp
# mkdir foo
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
In has no issues with files:
# rm test.txt
# put test.txt
# cat test.txt
test
Okay so overall you can create files but not directories right? That would explain why it only displays it as readable
Can you try with the following and send the debug output?
pipx install git+https://github.com/Pennyw0rth/NetExec@neff-fix-share-privs
Okay so overall you can create files but not directories right? That would explain why it only displays it as readable
Only with Impacket. Smbclient is capable of creating both, files and directories (https://github.com/Pennyw0rth/NetExec/issues/182#issuecomment-1950230584).
Can you try with the following and send the debug output?
pipx install git+https://github.com/Pennyw0rth/NetExec@neff-fix-share-privs
It fails already during self.conn.createDirectory(share_name, temp_dir), so this modification does not change the result.
$ nxc --debug smb 192.168.186.188 -u thecybergeek -p winniethepooh --shares
[09:09:50] DEBUG PYTHON VERSION: 3.11.7 (main, Dec 8 2023, 14:22:46) [GCC 13.2.0] netexec.py:84
DEBUG RUNNING ON: Linux Release: 6.6.9-amd64 netexec.py:85
DEBUG Passed args: Namespace(threads=100, timeout=None, jitter=None, no_progress=False, verbose=False, debug=True, version=False, netexec.py:86
protocol='smb', target=['192.168.186.188'], cred_id=[], username=['thecybergeek'], password=['winniethepooh'],
ignore_pw_decoding=False, kerberos=False, no_bruteforce=False, continue_on_success=False, use_kcache=False, log=None,
aesKey=None, kdcHost=None, gfail_limit=None, ufail_limit=None, fail_limit=None, module=None, module_options=[],
list_modules=False, show_module_options=False, server='https', server_host='0.0.0.0', server_port=None,
connectback_host=None, hash=[], delegate=None, no_s4u2proxy=False, domain=None, local_auth=False, port=445, share='C$',
smb_server_port=445, gen_relay_list=None, smb_timeout=2, laps=None, sam=False, lsa=False, ntds=None, dpapi=None, mkfile=None,
pvk=None, enabled=False, userntds=None, shares=True, no_write_check=False, filter_shares=None, sessions=False, disks=False,
loggedon_users_filter=None, loggedon_users=False, users=None, groups=None, computers=None, local_groups=None, pass_pol=False,
rid_brute=None, wmi=None, wmi_namespace='root\\cimv2', spider=None, spider_folder='.', content=False, exclude_dirs='',
pattern=None, regex=None, depth=None, only_files=False, put_file=None, get_file=None, append_host=False, exec_method=None,
dcom_timeout=5, get_output_tries=5, codec='utf-8', force_ps32=False, no_output=False, execute=None, ps_execute=None,
obfs=False, amsi_bypass=None, clear_obfscripts=False)
DEBUG Protocol: smb netexec.py:140
DEBUG Protocol Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb.py netexec.py:143
DEBUG Protocol DB Path: /home/kali/.local/share/pipx/venvs/netexec/lib/python3.11/site-packages/nxc/protocols/smb/database.py netexec.py:145
DEBUG Protocol Object: <class 'protocol.smb'> netexec.py:148
DEBUG Protocol DB Object: <class 'protocol.database'> netexec.py:150
DEBUG DB Path: /home/kali/.nxc/workspaces/default/smb.db netexec.py:153
DEBUG Using selector: EpollSelector selector_events.py:54
DEBUG Creating ThreadPoolExecutor netexec.py:42
DEBUG Creating thread for <class 'protocol.smb'> netexec.py:45
INFO Socket info: host=192.168.186.188, hostname=192.168.186.188, kerberos=False, ipv6=False, link-local ipv6=False connection.py:104
DEBUG Kicking off proto_flow connection.py:164
INFO Error creating SMBv1 connection to 192.168.186.188: Error occurs while reading from remote(104) smb.py:487
DEBUG Created connection object connection.py:167
[09:09:51] DEBUG Update Hosts: [{'ip': '192.168.186.188', 'hostname': 'CRAFT2', 'domain': 'CRAFT2', 'os': 'Windows 10 / Server 2019 Build database.py:280
17763', 'dc': None, 'smbv1': False, 'signing': False, 'spooler': None, 'zerologon': None, 'petitpotam': None}]
DEBUG Error logging off system: Error occurs while reading from remote(104) smb.py:246
SMB 192.168.186.188 445 CRAFT2 [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) (domain:CRAFT2) (signing:False) (SMBv1:False)
INFO SMB 192.168.186.188 445 CRAFT2 [*] Windows 10 / Server 2019 Build 17763 x64 (name:CRAFT2) logger.py:121
(domain:CRAFT2) (signing:False) (SMBv1:False)
DEBUG Trying to authenticate using plaintext with domain connection.py:407
INFO Error creating SMBv1 connection to 192.168.186.188: Error occurs while reading from remote(104) smb.py:487
DEBUG Adding credential: CRAFT2/thecybergeek:winniethepooh smb.py:365
DEBUG Adding credentials: [{'id': 2, 'domain': 'CRAFT2', 'username': 'thecybergeek', 'password': 'winniethepooh', 'credtype': database.py:347
'plaintext', 'pillaged_from_hostid': None}]
DEBUG smb hosts() - results: [(4, '192.168.186.188', 'CRAFT2', 'CRAFT2', 'Windows 10 / Server 2019 Build 17763', None, False, database.py:495
False, None, None, None)]
DEBUG Inserting loggedin_relations: {'userid': 2, 'hostid': 4} database.py:816
DEBUG Checking if relation was added: [(3, 2, 4)] database.py:822
SMB 192.168.186.188 445 CRAFT2 [+] CRAFT2\thecybergeek:winniethepooh
INFO SMB 192.168.186.188 445 CRAFT2 [+] CRAFT2\thecybergeek:winniethepooh logger.py:121
DEBUG Calling command arguments connection.py:174
DEBUG Calling shares() connection.py:195
DEBUG domain: CRAFT2 smb.py:703
INFO Shares returned: [<impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f495e215e50>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object smb.py:711
at 0x7f495e215fd0>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1 object at 0x7f495e216150>, <impacket.dcerpc.v5.srvs.SHARE_INFO_1
object at 0x7f495e2162d0>]
DEBUG Error checking READ access on share: STATUS_ACCESS_DENIED smb.py:739
DEBUG Error checking WRITE access on share ADMIN$: STATUS_ACCESS_DENIED smb.py:748
DEBUG Error checking READ access on share: STATUS_ACCESS_DENIED smb.py:739
DEBUG Error checking WRITE access on share C$: STATUS_ACCESS_DENIED smb.py:748
DEBUG Error checking WRITE access on share IPC$: STATUS_PRIVILEGE_NOT_HELD smb.py:748
[09:09:52] DEBUG Error checking WRITE access on share WebApp: STATUS_ACCESS_DENIED smb.py:748
SMB 192.168.186.188 445 CRAFT2 [*] Enumerated shares
INFO SMB 192.168.186.188 445 CRAFT2 [*] Enumerated shares logger.py:121
SMB 192.168.186.188 445 CRAFT2 Share Permissions Remark
INFO SMB 192.168.186.188 445 CRAFT2 Share Permissions Remark logger.py:121
SMB 192.168.186.188 445 CRAFT2 ----- ----------- ------
INFO SMB 192.168.186.188 445 CRAFT2 ----- ----------- ------ logger.py:121
SMB 192.168.186.188 445 CRAFT2 ADMIN$ Remote Admin
INFO SMB 192.168.186.188 445 CRAFT2 ADMIN$ Remote Admin logger.py:121
SMB 192.168.186.188 445 CRAFT2 C$ Default share
INFO SMB 192.168.186.188 445 CRAFT2 C$ Default share logger.py:121
SMB 192.168.186.188 445 CRAFT2 IPC$ READ Remote IPC
INFO SMB 192.168.186.188 445 CRAFT2 IPC$ READ Remote IPC logger.py:121
SMB 192.168.186.188 445 CRAFT2 WebApp READ
INFO SMB 192.168.186.188 445 CRAFT2 WebApp READ logger.py:121
I will create a separate issue there. Nevertheless, the change in neff-fix-share-privs probably makes sense to merge as it can help in different scenarios.
@NeffIsBack was the neff-fix-share-privs not merged?
@whlpentest This looks like an error in Impacket, so we're reliant on them fixing it. Their ticket is linked above.
@Marshall-Hallenbeck yes it was and it did improve the check, but i think didn't fully solve the root problem. Still no idea what that could be.
@whlpentest can you provide a full debug log and also the different result from your other method (smbclient or what you used)?
Hi can you help me out with this I'm facing this error from last 2-3 days still i did'nt found any solution, all shares are accessible even i have crds of local administrator . but netexec is giving this error to me, help me in this ?
nxc smb 0.0.0.0 -u Test -H 700000000000000000000000 --share DESKTOP-N08O\TEst --put-file NTD.txt '\0.0.0.0\ND.txt'
- Error writing file to share DESKTOP-N08O\TEst: SMB SessionError: STATUS_OBJECT_PATH_NOT_FOUND({Path Not Found} The path %hs does not exist.)
The share parameter only requires the share name and not the Hostname. So try --share TEst
I tried but still im facing this issue , Kindly help me out with this.
nxc smb 1.1.1.1 -u r -H E750000000000000000000003 --share TEst --put-file ND.txt '\1.1.1.1\TEst\ND.txt'
SMB 1.1.1.1 445 DESKTOP-N0 [] Windows 10.0 x (name:DESKTOP-N0) (domain:DESKTOP-N0) (signing:False) (SMBv1:False) SMB 1.1.1.1 445 DESKTOP-N0 [+] DESKTOP-N0\r:D00000000000000000D3 (Pwn3d!) SMB 1.1.1.1 445 DESKTOP-N0 [] Copying ND.txt to '\1.1.1.1\TEst\ND.txt' SMB 1.1.1.1 445 DESKTOP-N0 [-] Error writing file to share TEst: SMB SessionError: STATUS_OBJECT_PATH_NOT_FOUND({Path Not Found} The path %hs does not exist.)
The same goes for the --put-file command :) no need for an IP, your path should start from the share root location
Edit: you also need double backslashes. Take a look at the wiki for an example
Hello first of all thanks for your reply but now one issue is i was able to share .txt file but when tried sharing .exe still facing same error is there anything im doing wrong or missing ? help me
C:\Users\Administrator\Desktop\Lateral movement tools1\Password-spraying>nxc smb 190.110.00.13 -u Ar -H D368000000848E79A6E75CFAF0754D3 --share TEst --put-file BInstaller.exe \TEst\BInstaller.exe SMB 190.110.00.13 445 DESKTOP-NC [] Windows 10.0 Build 19041 x64 (name:DESKTOP-NC) (domain:DESKTOP-NC) (signing:False) (SMBv1:False) SMB 190.110.00.13 445 DESKTOP-NC [+] DESKTOP-NC\Ar:D368000000D848E79A6E75CFAF0754D3 (Pwn3d!) SMB 190.110.00.13 445 DESKTOP-NC [] Copying BInstaller.exe to \TEst\BInstaller.exe SMB 190.110.00.13 445 DESKTOP-NC [-] Error writing file to share TEst: SMB SessionError: STATUS_OBJECT_PATH_NOT_FOUND({Path Not Found} The path %hs does not exist.)