Academy SMB footprinting (module/112/section/1067)

HTB Content Academy
1

Hi!

On the last 2 questions I’m struggling:

  1. Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
  2. What is the full system path of that specific share?

I tried smbclient, rpcclient, nmap and enum4linux-ng on the target. I couldn’t find “additional information” that could lead to a “customized version of that specific share”. Maybe I don’t get the question… With the help of enum4linux-ng I found out that there are 2 possibilities to log in - as an anonymous user and as “xxxx” user with pas “”.

Screenshot at 2022-10-28 09-41-02
Screenshot at 2022-10-28 09-41-02730×197 71.4 KB

I tried to log in as that user (the name changes with every ip refresh) with no pass (as described) and it doesn’t work.

rpcclient -U xxxx ‘ip address’

rpcclient -U frmfmxzo 10.129.202.5
Enter WORKGROUP\frmfmxzo’s password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 … …
[0000] CE F5 68 A0 FB AF DD 5E BC 7D EB 95 75 1B 43 22 …h…^ .}…u.C"

If anybody can help me understand the last 2 questions, I would be grateful.
Thank you!

2

It was SOLVED.

3

I am having the same issue. How did you solved it?

4

are.

5

pcclient $> netsharegetinfo sambashare
netname: sambashare
remark: InFreight SMB v3.1
path: C:\home\sambauser
password:
type: 0x0
perms: 0
max_uses: -1
num_uses: 1
the answer is InFreight SMB v3.1

3 Likes
6

for the systempath:

image
image877×190 6.4 KB

1 Like
7

Thank you

8

How did you manage to find the path i try the enumdousers but nothing comes out of it , i tried the queryuser with 0x1f5 but it doesnt give me any paths , how can i solve it pelase

9

Thank you !!

10

Remember! In the case where you can’t enumerate users manually, you always have the option of brute forcing the enumeration by running the queryuser command. Check out the academy module if you have forgotten how to do this.