2 :139 :445 smb
$ nmap -p 139,445 --script=smb-enum-shares.nse,smb-enum-users.nse $ip -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-23 11:33 PDT
Nmap scan report for 192.168.175.64
Host is up (0.072s latency).
Host script results:
| smb-enum-shares:
| account_used: guest
| \\192.168.175.64\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Samba 4.9.5-Debian)
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\192.168.175.64\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
| Current user access: <none>
| \\192.168.175.64\zino:
| Type: STYPE_DISKTREE
| Comment: Logs
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\peter
| Anonymous access: READ
|_ Current user access: READ
$ smbmap -H $ip
[+] IP: 192.168.175.64:445 Name: 192.168.175.64
Disk Permissions Comment
---- ----------- -------
zino READ ONLY Logs
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.9.5-Debian)
$ smbclient //192.168.175.64/zino
Enter WORKGROUP\kashz's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jul 9 12:11:49 2020
.. D 0 Tue Apr 28 06:38:53 2020
.bash_history H 0 Tue Apr 28 08:35:28 2020
error.log N 265 Tue Apr 28 07:07:32 2020
.bash_logout H 220 Tue Apr 28 06:38:53 2020
local.txt N 33 Mon Aug 23 11:26:47 2021
.bashrc H 3526 Tue Apr 28 06:38:53 2020
.gnupg DH 0 Tue Apr 28 07:17:02 2020
.profile H 807 Tue Apr 28 06:38:53 2020
misc.log N 424 Tue Apr 28 07:08:15 2020
auth.log N 368 Tue Apr 28 07:07:54 2020
access.log N 5464 Tue Apr 28 07:07:09 2020
ftp D 0 Tue Apr 28 07:12:56
# definitely some /home/user directory
# we got local.txt
$ cat auth.log
Apr 28 08:16:54 zino groupadd[1044]: new group: name=peter, GID=1001
Apr 28 08:16:54 zino useradd[1048]: new user: name=peter, UID=1001, GID=1001, home=/home/peter, shell=/bin/bash
Apr 28 08:17:01 zino passwd[1056]: pam_unix(passwd:chauthtok): password changed for peter
Apr 28 08:17:01 zino CRON[1058]: pam_unix(cron:session): session opened for user root by (uid=0)
$ cat error.log
[Tue Apr 28 08:04:48.610828 2020] [mpm_prefork:notice] [pid 498] AH00163: Apache/2.4.38 (Debian) mod_wsgi/4.6.5 Python/2.7 configured -- resuming normal operations
[Tue Apr 28 08:04:48.610841 2020] [core:notice] [pid 498] AH00094: Command line: '/usr/sbin/apache2'
$ cat misc.log
Apr 28 08:39:01 zino systemd[1]: Starting Clean php session files...
Apr 28 08:39:01 zino CRON[2791]: (CRON) info (No MTA installed, discarding output)
Apr 28 08:39:01 zino systemd[1]: phpsessionclean.service: Succeeded.
Apr 28 08:39:01 zino systemd[1]: Started Clean php session files.
Apr 28 08:39:01 zino systemd[1]: Set application username "admin"
Apr 28 08:39:01 zino systemd[1]: Set application password "adminadmin"
$ cat access.log
# contains requests for differet URIs
GET /booked/
GET /booked/Web/
GET /booked/Web/dashboard.php
Last updated