2 :139 :445 smb

| smb-vuln-cve-2017-7494:
|   VULNERABLE:
|   SAMBA Remote Code Execution from Writable Share
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2017-7494
|     Risk factor: HIGH  CVSSv3: 7.5 (HIGH) (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
|       All versions of Samba from 3.5.0 onwards are vulnerable to a remote
|       code execution vulnerability, allowing a malicious client to upload a
|       shared library to a writable share, and then cause the server to load
|       and execute it.

$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.71.76
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-13 14:00 PDT
Nmap scan report for 192.168.71.76
Host is up (0.073s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares:
|   account_used: guest
|   \\192.168.71.76\IPC$:
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (photographer server (Samba, Ubuntu))
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\192.168.71.76\print$:
|     Type: STYPE_DISKTREE
|     Comment: Printer Drivers
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\var\lib\samba\printers
|     Anonymous access: <none>
|     Current user access: <none>
|   \\192.168.71.76\sambashare:
|     Type: STYPE_DISKTREE
|     Comment: Samba on Ubuntu
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\home\agi\share
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

$ smbmap -H 192.168.71.76
[+] Guest session       IP: 192.168.71.76:445   Name: 192.168.71.76
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        sambashare                                              READ ONLY       Samba on Ubuntu
        IPC$                                                    NO ACCESS       IPC Service (photographer server (Samba, Ubuntu))
		
$ smbclient //192.168.71.76/sambashare
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Aug 20 08:51:08 2020
  ..                                  D        0  Thu Aug 20 09:08:59 2020
  mailsent.txt                        N      503  Mon Jul 20 18:29:40 2020
  wordpress.bkp.zip                   N 13930308  Mon Jul 20 18:22:23 2020

$ cat mailsent.txt
Message-ID: <4129F3CA.2020509@dc.edu>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <agi@photographer.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <daisa@photographer.com>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)

# wp-config.php is missing in wordpress
Previous3 :80 Next1 recon
Last updated 3 years ago