-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SMB: incorrect share permissions #182
Comments
@tstdin I don't have an Offsec subscription, is this something you are able to assist us with fixing? |
@Marshall-Hallenbeck Yes, I can try. Let me know what information would help. |
@tstdin Are you able to create a folder inside the WebApp share, or just a file? I also noticed that the output for fetching a file doesn't prepend the share name, so we should probably fix that as well. |
Yes, creating folder works fine.
|
That is indeed weird, netexec checks the read/write permissions with listing and creating/deleting a folder. Can you provide an output with |
|
Could it be, that you are using an account that is local admin and try to create a directory/file in a place where you would need Admin privileges, so UAC is preventing the write access? That would not explain why smbclient is able to do it tho. |
Adding more context. User:
Upload directory permissions:
|
Can you run smbclient with debug flag @tstdin ? |
|
Additional details:
|
I think I understand why, can you delete the directory you just created ? We check if you can create and delete, but if delete fails, then it's like create didn't work either try:
self.conn.createDirectory(share_name, temp_dir)
self.conn.deleteDirectory(share_name, temp_dir)
write = True
share_info["access"].append("WRITE")
except SessionError as e:
error = get_error_string(e)
self.logger.debug(f"Error checking WRITE access on share: {error}") So my guess, you can create but not delete which seem about what we saw on the get acl output
So yep, this is a bug, congratz for the finding ! 🎉 |
@mpgn Weirdly, I am actually able to successfully delete the directory using smbclient. |
Is the setup something we can easily recreate for testing? |
I did more testing with Impacket and found out it cannot create a directory in the share:
|
In has no issues with files:
|
Okay so overall you can create files but not directories right? That would explain why it only displays it as readable |
Can you try with the following and send the debug output? |
Only with Impacket. Smbclient is capable of creating both, files and directories (#182 (comment)).
It fails already during
|
Then it's a bug in impacket 🥲 |
I will create a separate issue there. Nevertheless, the change in neff-fix-share-privs probably makes sense to merge as it can help in different scenarios. |
I have the same issue, any update?! |
@NeffIsBack was the @whlpentest This looks like an error in Impacket, so we're reliant on them fixing it. Their ticket is linked above. |
@Marshall-Hallenbeck yes it was and it did improve the check, but i think didn't fully solve the root problem. Still no idea what that could be. @whlpentest can you provide a full debug log and also the different result from your other method (smbclient or what you used)? |
Describe the bug
Working on Proving Grounds machine Craft2 from Offsec , I encountered a situation when NetExec reported share permissions as READ only, even though WRITE was allowed (and actually required for exploitation).
To Reproduce
List SMB shares:
Share WebApp has only permission READ listed. We can however upload a file in this share:
Expected behavior
Correctly recognize share permissions.
NetExec info
pipx install git+https://github.com/Pennyw0rth/NetExec
The text was updated successfully, but these errors were encountered: